Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[stunnel-users] certificate verify failed
732 views
Skip to first unread message
Roman Tuchyna
Jun 19, 2013, 8:17:00 AM6/19/13
to
Hi All,
I'm trying to create SSl tunnel between my server (Win 2008 R2, 4.56
version of stunnel) and remote application server - I have merged both
root and sub certificate into 1 file and it looks like it can verify
them and accept them as well, but then it tries to verify it at
depth=0 and says certificate not found in local repository. Am I
missing anything here ? (I modified messages to not disclose details
of certificates in the debug below).
Thank you!
BR,
Roman
2013.06.18 11:22:34 LOG7[272:2156]: Service [SZX] started
2013.06.18 11:22:34 LOG5[272:2156]: Service [SZX] accepted connection
from 127.0.0.1:49397
2013.06.18 11:22:34 LOG6[272:2156]: connect_blocking: connecting 10.254.0.21:443
2013.06.18 11:22:34 LOG7[272:2156]: connect_blocking: s_poll_wait
10.254.0.21:443: waiting 10 seconds
2013.06.18 11:22:34 LOG5[272:2156]: connect_blocking: connected 10.254.0.21:443
2013.06.18 11:22:34 LOG5[272:2156]: Service [SZX] connected remote
server from 192.168.20.23:49398
2013.06.18 11:22:34 LOG7[272:2156]: Remote socket (FD=396) initialized
2013.06.18 11:22:34 LOG7[272:2156]: SNI: sending servername: 10.254.0.21
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect):
before/connect initialization
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): SSLv3 write
client hello A
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): SSLv3 read
server hello A
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification:
depth=2, /CN=xxx RootCA
2013.06.18 11:22:34 LOG5[272:2156]: Certificate accepted: depth=2,
/CN=xxx RootCA
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification:
depth=1, /CN=xxx
2013.06.18 11:22:34 LOG5[272:2156]: Certificate accepted: depth=1,
/CN=xxx SubCA1
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification:
depth=0, /C=zzz
2013.06.18 11:22:34 LOG4[272:2156]: CERT: Certificate not found in
local repository
2013.06.18 11:22:34 LOG4[272:2156]: Certificate check failed: depth=0, /C=zzz
2013.06.18 11:22:34 LOG7[272:2156]: SSL alert (write): fatal:
certificate unknown
2013.06.18 11:22:34 LOG3[272:2156]: SSL_connect: 14090086:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
2013.06.18 11:22:34 LOG5[272:2156]: Connection reset: 0 byte(s) sent
to SSL, 0 byte(s) sent to socket
2013.06.18 11:22:34 LOG7[272:2156]: Remote socket (FD=396) closed
2013.06.18 11:22:34 LOG7[272:2156]: Local socket (FD=376) closed
2013.06.18 11:22:34 LOG7[272:2156]: Service [SZX] finished (0 left)
_______________________________________________
stunnel-users mailing list
stunne...@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
I'm trying to create SSl tunnel between my server (Win 2008 R2, 4.56
version of stunnel) and remote application server - I have merged both
root and sub certificate into 1 file and it looks like it can verify
them and accept them as well, but then it tries to verify it at
depth=0 and says certificate not found in local repository. Am I
missing anything here ? (I modified messages to not disclose details
of certificates in the debug below).
Thank you!
BR,
Roman
2013.06.18 11:22:34 LOG7[272:2156]: Service [SZX] started
2013.06.18 11:22:34 LOG5[272:2156]: Service [SZX] accepted connection
from 127.0.0.1:49397
2013.06.18 11:22:34 LOG6[272:2156]: connect_blocking: connecting 10.254.0.21:443
2013.06.18 11:22:34 LOG7[272:2156]: connect_blocking: s_poll_wait
10.254.0.21:443: waiting 10 seconds
2013.06.18 11:22:34 LOG5[272:2156]: connect_blocking: connected 10.254.0.21:443
2013.06.18 11:22:34 LOG5[272:2156]: Service [SZX] connected remote
server from 192.168.20.23:49398
2013.06.18 11:22:34 LOG7[272:2156]: Remote socket (FD=396) initialized
2013.06.18 11:22:34 LOG7[272:2156]: SNI: sending servername: 10.254.0.21
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect):
before/connect initialization
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): SSLv3 write
client hello A
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): SSLv3 read
server hello A
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification:
depth=2, /CN=xxx RootCA
2013.06.18 11:22:34 LOG5[272:2156]: Certificate accepted: depth=2,
/CN=xxx RootCA
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification:
depth=1, /CN=xxx
2013.06.18 11:22:34 LOG5[272:2156]: Certificate accepted: depth=1,
/CN=xxx SubCA1
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification:
depth=0, /C=zzz
2013.06.18 11:22:34 LOG4[272:2156]: CERT: Certificate not found in
local repository
2013.06.18 11:22:34 LOG4[272:2156]: Certificate check failed: depth=0, /C=zzz
2013.06.18 11:22:34 LOG7[272:2156]: SSL alert (write): fatal:
certificate unknown
2013.06.18 11:22:34 LOG3[272:2156]: SSL_connect: 14090086:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
2013.06.18 11:22:34 LOG5[272:2156]: Connection reset: 0 byte(s) sent
to SSL, 0 byte(s) sent to socket
2013.06.18 11:22:34 LOG7[272:2156]: Remote socket (FD=396) closed
2013.06.18 11:22:34 LOG7[272:2156]: Local socket (FD=376) closed
2013.06.18 11:22:34 LOG7[272:2156]: Service [SZX] finished (0 left)
_______________________________________________
stunnel-users mailing list
stunne...@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Javier
Jun 19, 2013, 10:56:36 AM6/19/13
to
Hi,
Looks like you have verify = 3 (verify peer certificate with
locally file) and can't find the peer certificate to verify against.
Are you sure that the CAfile contains the peer certificate too, not
only the CAs?
If you use verify = 2 (it just verify the certificate against CA)
and doesn't give errors there you have the proof.
I may be wrong but looks like that :)
Regards.
Looks like you have verify = 3 (verify peer certificate with
locally file) and can't find the peer certificate to verify against.
Are you sure that the CAfile contains the peer certificate too, not
only the CAs?
If you use verify = 2 (it just verify the certificate against CA)
and doesn't give errors there you have the proof.
I may be wrong but looks like that :)
Regards.
Michal Trojnara
Jun 19, 2013, 3:55:37 PM6/19/13
to
On 2013-06-19 14:17, Roman Tuchyna wrote:
> I'm trying to create SSl tunnel between my server (Win 2008 R2, 4.56
> version of stunnel) and remote application server - I have merged both
> root and sub certificate into 1 file and it looks like it can verify
> them and accept them as well, but then it tries to verify it at
> depth=0 and says certificate not found in local repository. Am I
> missing anything here ?
I didn't test it myself, but some users reported that OpenSSL requires
> I'm trying to create SSl tunnel between my server (Win 2008 R2, 4.56
> version of stunnel) and remote application server - I have merged both
> root and sub certificate into 1 file and it looks like it can verify
> them and accept them as well, but then it tries to verify it at
> depth=0 and says certificate not found in local repository. Am I
> missing anything here ?
specific order or certificates and an empty line between them.
BTW: Are you sure that CAfile contains the certificate of *your peer*
(the remote application server)?
Mike
0 new messages