The "Verify return code: 19" was because I specified the wrong CApath on the s_client.
s_server/s_client works perfect. I also tried s_server with the stunnel client, and the cert is accepted no problem. I think this lies solely with the stunnel server process. Thanks so much for the extra set of eyes. I'll recompile stunnel and bug those guys if the issue persists ;-) On Wed, Aug 20, 2014 at 9:18 AM, Eckert, Doug <doug.eck...@dowjones.com> wrote: > It's stunnel 4.32 compiled on AIX 6.1 (TL8 SP3) with openssl 1.0.1e. > > Initially I thought this was in OpenSSL due to the "NO X509_NAME" message > in the stunnel log. It had been working fine for years with the same > certs, config files, etc with OpenSSL 0.9.8x and prior. Now I'm not so > sure. > > When I try s_client/s_server I get a "Verify return code: 19 (self signed > certificate in certificate chain)" on the client. The cert in question is > our own private root CA. There's no indication of the "NO X509_NAME" when > using s_client/server. > > > > > On Tue, Aug 19, 2014 at 9:17 PM, Salz, Rich <rs...@akamai.com> wrote: > >> I’m a bit stumped. Is this openssl s_client/s_server, or stunnel that’s >> failing? And are you sure it is using the certs that you think it is? >> Have you run, for example, s_client with –debug and –msg flags? >> >> >> >> -- >> >> Principal Security Engineer >> >> Akamai Technologies, Cambridge MA >> >> IM: rs...@jabber.me Twitter: RichSalz >> >> >> > > > > -- > > *Doug Eckert* > *Technical Architect* > > *Global Business Technology* > *Dow Jones* | *A News Corporation Company* > P.O. Box 300 | Princeton NJ 08543-0300 > (W) 609.520.4993 (C) 732.666.3681 > *Email: **doug.eck...@dowjones.com* <al...@dowjones.com> > > > -- *Doug Eckert* *Technical Architect* *Global Business Technology* *Dow Jones* | *A News Corporation Company* P.O. Box 300 | Princeton NJ 08543-0300 (W) 609.520.4993 (C) 732.666.3681 *Email: **doug.eck...@dowjones.com* <al...@dowjones.com>