The "Verify return code: 19" was because I specified the wrong CApath on
the s_client.

s_server/s_client works perfect.  I also tried s_server with the stunnel
client, and the cert is accepted no problem.  I think this lies solely with
the stunnel server process.

Thanks so much for the extra set of eyes.  I'll recompile stunnel and bug
those guys if the issue persists  ;-)


On Wed, Aug 20, 2014 at 9:18 AM, Eckert, Doug <doug.eck...@dowjones.com>
wrote:

> It's stunnel 4.32 compiled on AIX 6.1 (TL8 SP3) with openssl 1.0.1e.
>
> Initially I thought this was in OpenSSL due to the "NO X509_NAME" message
> in the stunnel log.  It had been working fine for years with the same
> certs, config files, etc with OpenSSL 0.9.8x and prior.  Now I'm not so
> sure.
>
> When I try s_client/s_server I get a "Verify return code: 19 (self signed
> certificate in certificate chain)" on the client.  The cert in question is
> our own private root CA.  There's no indication of the "NO X509_NAME" when
> using s_client/server.
>
>
>
>
> On Tue, Aug 19, 2014 at 9:17 PM, Salz, Rich <rs...@akamai.com> wrote:
>
>> I’m a bit stumped.  Is this openssl s_client/s_server, or stunnel that’s
>> failing?  And are you sure it is using the certs that you think it is?
>> Have you run, for example, s_client with –debug and –msg flags?
>>
>>
>>
>> --
>>
>> Principal Security Engineer
>>
>> Akamai Technologies, Cambridge MA
>>
>> IM: rs...@jabber.me Twitter: RichSalz
>>
>>
>>
>
>
>
> --
>
> *Doug Eckert*
> *Technical Architect*
>
> *Global Business Technology*
> *Dow Jones* | *A News Corporation Company*
> P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 (C) 732.666.3681
> *Email: **doug.eck...@dowjones.com* <al...@dowjones.com>
>
>
>


-- 

*Doug Eckert*
*Technical Architect*

*Global Business Technology*
*Dow Jones* | *A News Corporation Company*
P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **doug.eck...@dowjones.com* <al...@dowjones.com>

Reply via email to