As a follow-up: It's definitely much happier having the cafile but it's still giving me handshake problems regardless of the verification level. I'm using exactly the same certificates for both server and client and on the server-side getting: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
And on the client-side, things like: CERT: Certificate not found in local repository Which is to me peculiar, because I'm using exactly the same certificates, same DH, etc... Thank you for all your help with this! On Mon, Mar 28, 2016 at 11:04 AM, Jon Bogaty <[email protected]> wrote: > Ideally what I'd love to do is enable developers to be able to connect > their remote apps to the database proxy *without* the client-side > handshake, but I was honestly not aware it was possible. So the ideal > would be: > > Remote app connects directly via mysql driver to stunnel on port 3307 > encrypted with TLS > stunnel forward the connection to the proxy on 3306 > > If that is possible without maintaining a connection stunnel to > stunnel that would be beyond awesome, I'm just totally failing to see > how to accomplish it! > > One thing I did find though is the root cert for geotrust so I'm > running tests now to see if that helps or at least generates new info. > Based on your feedback I'm testing the following: > cert = /etc/stunnel/stunnel.pem > cafile = /etc/stunnel/GeoTrust_Global_CA.pem > > verify = 3 > > On Mon, Mar 28, 2016 at 10:58 AM, Michał Trojnara > <[email protected]> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> On 28.03.2016 16:27, Jon Bogaty wrote: >>> The issue is when I setup everything on the server and try to >>> connect with a client I either get for "verify 2" warnings about >>> MiTM authentication problems, or for "verify 3" or "verify 4", >>> which should disable CA checking altogether to my understanding, >>> "Please specify CApath". >> >> Verify levels 3 and 4 do *not* disable certificate verification. >> Verify level 3 requires the peer certificate in your CAfile. >> Verify level 4 *only* requires the peer certificate. >> >> Are you sure you want to enable peer certificate (i.e. client >> certificate) verification in your SSL server configuration? >> >> Best regards, >> Mike >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJW+UZ4AAoJEC78f/DUFuAUQmIP/ijSfVmM/E3cgg3td/O9woOz >> fxsmqVhQeFh44uD8TbNj/YMhH4LgtVuunE2wtzXx63ja2GJXE2CJR66kc+aIj16U >> TjQOCRWdI2zsC4rDuO3v/xsAAuFp1ztwhMX7xNQ0uUwVuJ6emqCqSLwM4FiViMu7 >> 2gcC0em8mNfb4BemY6VwqYlITkHMOzhQZiZkP909EVbCo3yYlDN3e1CbvHbqM0Wm >> t1qpB1KAixG8ThKGO40lXT/yFmWgOO7dFOqyNEV4JCdFSOSEDvUEtfvrR4yvLItk >> f7nGWNfDoT1qgdHZdMG2MqexO72MvPcwOxrgFWn4bOz0fqsVzWLqH8gffy+w/L9p >> mwS5p1WIMkHj9x+Fw1UUI+e6gJ8vgMYtMLJEdJu3yP3i13UY5tIRzCYANfv1vjHf >> mK1afiNKyM0hM27drA1y8VJKBSjF6kJmnIAF5bh+tgVQjukr2yevxDYWb1GKg6wI >> nqHvJv4moIGmySqA2Mqv32GDZn2GZCt5FK8AM6L+T6HKM143dKL9uBO9AdLi7Bmw >> YfLlIvI3kgpKUCdwQ9RIirUwtThuVEqJYsl2jykseKBwuWu59vSY/np9crECWv6Z >> b2For6WG5yqU7orPPJS8PV0JqLI4HRaTN1mquuQLFCrCttRvp8CIdpF40VXG7gdz >> /ru7iPZfYYWG5qyvHys9 >> =1DFq >> -----END PGP SIGNATURE----- >> _______________________________________________ >> stunnel-users mailing list >> [email protected] >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
