Re: Working cert rejection after reboot

​Thanks, and yes. A co-worker was having a look at the stunnel code while I was pursuing this. He found the message in their "verify.c" as well as a bug report against v4.32. They were checking for the cert's Subject ​to precisely match, throwing this error on a mismatch. It was patched in v4.4

Re: Working cert rejection after reboot

On Tue, Aug 19, 2014, Eckert, Doug wrote: > Greetings. > > After a recent reboot, a previously working cert is now being rejected with > "NO X509_NAME". I can't set the log level higher on the AIX side to get > more detail. What are the most likely causes of the "NO X509_NAME" error? > > from

Re: Working cert rejection after reboot

You might also wish to verify that the openssl binary you're using for c_rehash is version 1.0.1e. -Kyle H On 8/20/2014 7:16 AM, Eckert, Doug wrote: > The "Verify return code: 19" was because I specified the wrong CApath > on the s_client. > > s_server/s_client works perfect. I also tried s_serv

Re: Working cert rejection after reboot

The "Verify return code: 19" was because I specified the wrong CApath on the s_client. s_server/s_client works perfect. I also tried s_server with the stunnel client, and the cert is accepted no problem. I think this lies solely with the stunnel server process. Thanks so much for the extra set

Re: Working cert rejection after reboot

It's stunnel 4.32 compiled on AIX 6.1 (TL8 SP3) with openssl 1.0.1e. Initially I thought this was in OpenSSL due to the "NO X509_NAME" message in the stunnel log. It had been working fine for years with the same certs, config files, etc with OpenSSL 0.9.8x and prior. Now I'm not so sure. When I

Re: Working cert rejection after reboot

Didn't the rehash naming or linking algorithm change sometime between 0.9.8 and 1.0.1? Also, 0.9.8 and 1.0.1 are not ABI-compatible. I don't know how AIX does shared-object support, but it might be wise to recompile stunnel against the new headers and libraries. -Kyle H On 8/19/2014 10:35 AM, E

RE: Working cert rejection after reboot

I’m a bit stumped. Is this openssl s_client/s_server, or stunnel that’s failing? And are you sure it is using the certs that you think it is? Have you run, for example, s_client with –debug and –msg flags? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me

Re: Working cert rejection after reboot

Thanks for the reply. It seems that in between reboots, OpenSSL was updated, and stunnel was re-compiled and delivered with the newer OpenSSL on the server (AIX) side 2014.03.15 10:15:09 LOG5[3866990:1]: stunnel 4.32 on rs6000-ibm-aix with OpenSSL 0.9.8x 10 May 2012 2014.08.17 09:34:02 LOG5[41681

RE: Working cert rejection after reboot

> After a recent reboot, a previously working cert is now being rejected with > "NO X509_NAME". I can't set the log level higher on the AIX side to get more > detail. What are the most likely causes of the "NO X509_NAME" error? Something changed in addition to the system rebooting. New softwa