Are you sure the bundle has the entire certificate chain for the CA? I usually use the CApath parameter. It requires each certificate in it's own file with the hashed name as explained in the howto.
Regards Jose > El 15/9/2015, a las 2:32, MingHeng Wang <[email protected]> escribió: > > Hello Stunnel maintainers, > I try to use real certificates of my web server for stunnel. I combine > private key, my site's cert, and ca-bundle into a pem file, and it works fine > when the client doesn't verify any certificate. Then I specify CAfile which > is the ca bundle file from my registrar, at client side and turn on > verification and always get errors below, whatever level 2 or 3: > Sep 15 14:53:28 y400 stunnel[11666]: LOG5[11]: Service [http-proxy3] > connected remote server from 192.168.1.104:45746 > Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: CERT: Pre-verification error: > unable to get issuer certificate > Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: Rejected by CERT at depth=2: > > However, level 4 works. I want to prevent man-in-middle-attack, so can level > 4 achieve that regarding to my current setup? > Both server and client side use stunnel 5.17 which are fairly recent. > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
