Success, it worked using the 5.58 beta 1 and regenerating the pem certificate with it.
Thanks. [Client_SyncThing] client = yes accept = 127.0.0.1:24596 connect = 192.168.0.102:999 verifyPeer = yes CAfile = stunnel.pem PSKsecrets = psk.txt [Server_SyncThing] cert = stunnel.pem accept = 999 connect = 127.0.0.1:24596 ciphers = PSK PSKsecrets = psk.txt 2020.10.19 17:07:13 LOG7[5]: Service [Server_SyncThing] started 2020.10.19 17:07:13 LOG7[5]: Setting local socket options (FD=1420) 2020.10.19 17:07:13 LOG7[5]: Option TCP_NODELAY set on local socket 2020.10.19 17:07:13 LOG5[5]: Service [Server_SyncThing] accepted connection from 192.168.0.2:55485 2020.10.19 17:07:13 LOG6[5]: Peer certificate not required 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): before SSL initialization 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): before SSL initialization 2020.10.19 17:07:13 LOG5[5]: Key configured for PSK identity "user1" 2020.10.19 17:07:13 LOG7[5]: Initializing application specific data for session authenticated 2020.10.19 17:07:13 LOG7[5]: Initializing application specific data for session authenticated 2020.10.19 17:07:13 LOG7[5]: Deallocating application specific data for session connect address 2020.10.19 17:07:13 LOG7[5]: Deallocating application specific data for session connect address 2020.10.19 17:07:13 LOG7[5]: Initializing application specific data for session authenticated 2020.10.19 17:07:13 LOG7[5]: SNI: no virtual services defined 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): SSLv3/TLS read client hello 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): SSLv3/TLS write server hello 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): SSLv3/TLS write change cipher spec 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): TLSv1.3 write encrypted extensions 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): SSLv3/TLS write certificate 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): TLSv1.3 write server certificate verify 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): SSLv3/TLS write finished 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): TLSv1.3 early data 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): TLSv1.3 early data 2020.10.19 17:07:13 LOG7[5]: TLS state (accept): SSLv3/TLS read finished 2020.10.19 17:07:13 LOG7[5]: 1 server accept(s) requested 2020.10.19 17:07:13 LOG7[5]: 1 server accept(s) succeeded 2020.10.19 17:07:13 LOG7[5]: 0 server renegotiation(s) requested 2020.10.19 17:07:13 LOG7[5]: 0 session reuse(s) 2020.10.19 17:07:13 LOG7[5]: 0 internal session cache item(s) 2020.10.19 17:07:13 LOG7[5]: 0 internal session cache fill-up(s) 2020.10.19 17:07:13 LOG7[5]: 0 internal session cache miss(es) 2020.10.19 17:07:13 LOG7[5]: 0 external session cache hit(s) 2020.10.19 17:07:13 LOG7[5]: 0 expired session(s) retrieved 2020.10.19 17:07:13 LOG6[5]: TLS accepted: new session negotiated 2020.10.19 17:07:13 LOG6[5]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2020.10.19 17:07:13 LOG6[5]: Peer temporary key: X25519, 253 bits 2020.10.19 17:07:13 LOG7[5]: Compression: null, expansion: null 2020.10.19 17:07:13 LOG6[5]: s_connect: connecting 127.0.0.1:24596 2020.10.19 17:07:13 LOG7[5]: s_connect: s_poll_wait 127.0.0.1:24596: waiting 10 seconds 2020.10.19 17:07:13 LOG7[5]: FD=1400 ifds=rwx ofds=--- 2020.10.19 17:07:14 LOG5[5]: s_connect: connected 127.0.0.1:24596 2020.10.19 17:07:14 LOG6[5]: persistence: 127.0.0.1:24596 cached 2020.10.19 17:07:14 LOG5[5]: Service [Server_SyncThing] connected remote server from 127.0.0.1:55228 2020.10.19 17:07:14 LOG7[5]: Setting remote socket options (FD=1400) 2020.10.19 17:07:14 LOG7[5]: Option TCP_NODELAY set on remote socket 2020.10.19 17:07:14 LOG7[5]: Remote descriptor (FD=1400) initialized On Sun, Oct 18, 2020 at 8:21 PM Michał Trojnara <[email protected]> wrote: > On 10/14/2020 3:54 PM, Bob Bob wrote: > > I am using the same certificate which is called stunnel.pem and is > generated using the "Build a Self-signed stunnel.pem" on the server. Since > "nsCertType = server" in openssl.cnf, it is a server type certificate. > > That file is copied on both the client and the server and the " > verifyPeer = yes" option is set on the client side and I am still getting > the same error message : ERT: Pre-verification error: unsupported > certificate purpose. > > > > What am I doing wrong? > > I think you're doing everything right, and the certificates are wrong. > Could you please try to generate a new stunnel.pem with stunnel-5.58b1 I > just uploaded to https://www.stunnel.org/downloads.html? > > Best regards, > Mike > > _______________________________________________ > stunnel-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
