Mike, I tried your config. I had to comment out the foreground and pid statements, as they produced error messages (I'm running under Win 7). I also had to change the server address to a valid one, but in any case I'm it's producing the same error. Here's the log: 2013.10.24 17:23:28 LOG7[2824:2876]: Service [test_cli] accepted (FD=436) from 127.0.0.1:49487 2013.10.24 17:23:28 LOG7[2824:2876]: Creating a new thread 2013.10.24 17:23:28 LOG7[2824:2876]: New thread created 2013.10.24 17:23:28 LOG7[2824:3420]: Service [test_cli] started 2013.10.24 17:23:28 LOG5[2824:3420]: Service [test_cli] accepted connection from 127.0.0.1:49487 2013.10.24 17:23:28 LOG6[2824:3420]: connect_blocking: connecting 69.16.186.7:443 2013.10.24 17:23:28 LOG7[2824:3420]: connect_blocking: s_poll_wait 69.16.186.7:443: waiting 10 seconds 2013.10.24 17:23:28 LOG5[2824:3420]: connect_blocking: connected 69.16.186.7:443 2013.10.24 17:23:28 LOG5[2824:3420]: Service [test_cli] connected remote server from 192.168.5.9:49488 2013.10.24 17:23:28 LOG7[2824:3420]: Remote socket (FD=608) initialized 2013.10.24 17:23:28 LOG7[2824:3420]: SNI: sending servername: news80.forteinc.com 2013.10.24 17:23:28 LOG7[2824:3420]: SSL state (connect): before/connect initialization 2013.10.24 17:23:28 LOG7[2824:3420]: SSL state (connect): SSLv3 write client hello A 2013.10.24 17:23:29 LOG7[2824:3420]: SSL state (connect): SSLv3 read server hello A 2013.10.24 17:23:29 LOG7[2824:3420]: Starting certificate verification: depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, Inc./OU=IT/CN=*.forteinc.com 2013.10.24 17:23:29 LOG4[2824:3420]: CERT: Verification error: unable to get local issuer certificate 2013.10.24 17:23:29 LOG4[2824:3420]: Certificate check failed: depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, Inc./OU=IT/CN=*.forteinc.com 2013.10.24 17:23:29 LOG7[2824:3420]: SSL alert (write): fatal: unknown CA 2013.10.24 17:23:29 LOG3[2824:3420]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2013.10.24 17:23:29 LOG5[2824:3420]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2013.10.24 17:23:29 LOG7[2824:3420]: Remote socket (FD=608) closed 2013.10.24 17:23:29 LOG7[2824:3420]: Local socket (FD=436) closed 2013.10.24 17:23:29 LOG7[2824:3420]: Service [test_cli] finished (1 left) Here's my own test configuration: debug = 7 fips = no delay = yes output = stunnel.log [nntps.6] client = yes cafile = peer-nntps.6.pem verify = 4 accept = 127.0.0.1:119 connect = news80.forteinc.com:443 Regards, Thomas On 10/24/2013 4:19 PM, Michal Trojnara wrote:
On 2013-10-24 23:07, Thomas Eifert wrote:
I'm not having your luck. Out of ten services, I have eight verfiy = 4's that work as they should, and two that need the CA certificate to be added. I don't think it's about luck. I'm pretty sure there is something wrong with your configuration. The one I sent you works fine. I won't be able to diagnose yours, because you didn't send it. Please try to reproduce my setup first. If it doesn't help solve the problem immediately, send me your setup so I can reproduce your error.
BTW: I highly recommend reading: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html <http://www.chiark.greenend.org.uk/%7Esgtatham/bugs.html>
Mike
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.