dansmith,
I'd be the last to argue with you.
Purely as an experiment, I tried changing the verify level from 4 to 3,
but it didn't fly. I most likely missed the entirety of the signing
chain, as I only added the certificate of the *issuing* CA.
Regards,
Thomas
On 7/8/2013 7:01 PM, dansmith wrote:
Thomas, the recent exception you are describing - needing a CA
sertificate and server certificate is what verify=3 does.
So, I guess there is some regression in the code.
When I look at stunnel's verify.c code, there is only one reference to
level 4 in line 225. It seems like verify=4 functionality is missing
from the code.
On 07/08/2013 11:44 PM, Thomas Eifert wrote:
dansmith,
It's my understanding that verify = 4 should, theoretically, look only
for the server certificate, and this is the way I've been using it
with great success over the past year or so. Recently, however, I ran
into an exception to that behavior.
In my case, I only had to download and install one certificate; that
of the signing CA. I simply pasted it directly below the server
certificate in the associated .pem file. The CA certificate wasn't
originally in .pem format, so I converted it beforehand. OpenSSL has
conversion capability, and there are also online certificate tools
available. Your mileage may vary.
Good luck.
Thomas
On 7/8/2013 3:01 PM, dansmith wrote:
Could you kindly break it down for me. Are you saying that I need to
have two CAs A & B. A signs the certificate of B and B signs the
certificate of my server?
Do I understand correctly that verify=4 is supposed to simply ignore
any
CAs and only look at the actual certificate, comparing it to the
certificate in CAfile ?
On 07/08/2013 06:32 PM, Thomas Eifert wrote:
You're not missing anything. I've experienced a similar issue. While
verify = 4 generally works well in most cases and will ignore the CA
chain, I've encountered a few isolated incidences in which I've had to
append or "chain" the server certificate with the certificate of the
CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
I would expect that level 4 only compares locally installed
certificates, however I get the same behaviour as with level 3,
stunnel
expects a CA cert.
Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting
certificate verification: depth=0,
/C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT:
Verification error: unable to get local issuer certificate
Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate
check failed: depth=0,
/C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert
(read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
--
Attention: This message and all attachments are private and may contain
information that is confidential and privileged. If you received this
message in error, please notify the sender by reply email and delete the
message immediately.
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
