Hello, In the stunnel documentation, I see the following: level 4 Ignore CA chain and only verify peer certificate. My interpretation of level 4 was that only the server certificate had to be installed on the client in order for the cert verification to pass. No issuer/CA certificates were needed. However, when I do this, the connection fails. I see this following in the logs with verify=4:
2014.08.12 21:17:57 LOG7[26768]: Starting certificate verification: depth=0, subject=/C=US/CN=a.b.com 2014.08.12 21:17:57 LOG4[26768]: CERT: Verification error: unable to get local issuer certificate 2014.08.12 21:17:57 LOG4[26768]: Certificate check failed: depth=0, subject=/C=US/CN=a.b.com 2014.08.12 21:17:57 LOG7[26768]: SSL alert (write): fatal: unknown CA 2014.08.12 21:17:57 LOG3[26768]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed My config file contains the following: verify = 4 CAfile = /opt/stunnel/certs/clients.pem chroot = /opt/stunnel setuid = stunnel setgid = stunnel pid = /run/stunnel.pid debug = 7 output = stunnel.log options = NO_SSLv2 cert = /opt/stunnel/certs/server.pem key = /opt/stunnel/certs/server.pem If I append the issuer certificate to the CAfile, after the peer certificate, then the connection is successful with verify=4. Is this expected behavior? Is there a verify level that works as I described above: only the peer certificate needs to be present, no CA/issuer certificates at all? Thank you for your help.
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
