Hello,
> can somebody please tell me what the hell is going on with my stunnel?
> I just re-initialized my Certificate Authority, and it's giving me all
> of these strange messages, like stunnel not verifying any of my certs-
> what's up with that?
>
> Anybody's assistance to help shed some light on this situation would be
> greatly appreciated.
>
> COMMAND- cat vat/log/stunnel.log:
> -----------------------------------------------------------------------
> 2006.07.27 23:13:35 LOG5[1058:3083381680]: VERIFY IGNORE:
> depth=0, /C=US/ST=Florida/L=St. Petersburg/O=Health Plan Partners,
> LLC./OU=Certificate
> Authority/CN=hpprx.com/[EMAIL PROTECTED]
> 2006.07.27 23:13:35 LOG5[1058:3083381680]: VERIFY IGNORE:
> depth=0, /C=US/ST=Florida/L=St. Petersburg/O=Health Plan Partners,
> LLC./OU=Certificate
> Authority/CN=hpprx.com/[EMAIL PROTECTED]
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> read server certificate A
Server send us (stunnel) his certificate ...
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> read server certificate request A
.... and is requesting from us authentication ...
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> read server done A
.... and is ending this part of handshake
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> write client certificate A
We (stunnel) writing to server our CERTIFICATE (server ask us for
that) ...
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> write client key exchange A
.... and generated pre_master_secret encrypted by server public key ...
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> write certificate verify A
.... and some strange data encrypted by our private key ...
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> write change cipher spec A
.... and now we want to switch to encrypted channel ...
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> write finished A
.... and now we sending more strange message digest data encrypted
by server public key ...
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL state (connect): SSLv3
> flush data
> 2006.07.27 23:13:35 LOG7[1058:3083381680]: SSL alert (read): fatal: bad
> certificate
And in response server is teling us (stunnel) that sent CERTIFICATE
is BAD.
This means that server is unable to verify stunnel certificate.
Probably because has no certificate of CA witch issued this certificate
or stunnel certificate is expired or ...
Copy stunnel certificate to server and use:
$ openssl verify -CAfile cafile_used_by_server.pem \
stunnel_certificate.pem
When this succeeds, you should be able to establish SSL
connection which peer verification.
If you generated new CA you should put new CA certificate
on server side too.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
