All,
I'm running stunnel 4.56 as a server on Linux, as I have been doing for
a while. I require clients to connect using their own client certs and
yesterday one of them expired. The client generated a new certificate
and sent it to me to install, and I'm getting the error in the subject.
Version details:
$ sudo stunnel -help
stunnel 4.56 on x86_64-koji-linux-gnu platform
Compiled/running with OpenSSL 1.0.2k-fips 26 Jan 2017
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
I have set verify=4 because I expect to place the exact certificate for
every client into my CAFile.
This has been working for years, and when I connect using openssl
s_client, I can see which client certificates the server advertises it
will allow to connect, and they reflect what I expect.
The server certificate is also self-signed, so I copied that into the
CAFile and I'm able to connect with openssl s_client using that
certificate. So I think the problem can't be that the client's
certificate is self-signed.
So, to recap:
1. stunnel in server mode
2. CAFile points to a collection of PEM certs
3. verify=4
4. I can connect with my own valid, trusted, self-signed certificate
5. Client cannot connect with their valid, trusted, self-signed cert
Any ideas?
(Note: the client DOES appear to be using their new certificate, though
I can only see the subject text which could be the same, yet with a
different actual certificate.)
Here is the debug(7) output from an attempted connection:
: Starting certificate verification: depth=0, [subject]
: CERT: Pre-verification error: self signed certificate
: Certificate check failed: depth=0, [subject]
: SSL alert (write): fatal: unknown CA
: SSL_accept: 14089086: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Thanks,
-chris
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-le...@stunnel.org
