certificate verify failed
Hi All, I'm trying to create SSl tunnel between my server (Win 2008 R2, 4.56 version of stunnel) and remote application server - I have merged both root and sub certificate into 1 file and it looks like it can verify them and accept them as well, but then it tries to verify it at depth=0 and says certificate not found in local repository. Am I missing anything here ? (I modified messages to not disclose details of certificates in the debug below). Thank you! BR, Roman 2013.06.18 11:22:34 LOG7[272:2156]: Service [SZX] started 2013.06.18 11:22:34 LOG5[272:2156]: Service [SZX] accepted connection from 127.0.0.1:49397 2013.06.18 11:22:34 LOG6[272:2156]: connect_blocking: connecting 10.254.0.21:443 2013.06.18 11:22:34 LOG7[272:2156]: connect_blocking: s_poll_wait 10.254.0.21:443: waiting 10 seconds 2013.06.18 11:22:34 LOG5[272:2156]: connect_blocking: connected 10.254.0.21:443 2013.06.18 11:22:34 LOG5[272:2156]: Service [SZX] connected remote server from 192.168.20.23:49398 2013.06.18 11:22:34 LOG7[272:2156]: Remote socket (FD=396) initialized 2013.06.18 11:22:34 LOG7[272:2156]: SNI: sending servername: 10.254.0.21 2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): before/connect initialization 2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): SSLv3 write client hello A 2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): SSLv3 read server hello A 2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification: depth=2, /CN=xxx RootCA 2013.06.18 11:22:34 LOG5[272:2156]: Certificate accepted: depth=2, /CN=xxx RootCA 2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification: depth=1, /CN=xxx 2013.06.18 11:22:34 LOG5[272:2156]: Certificate accepted: depth=1, /CN=xxx SubCA1 2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification: depth=0, /C=zzz 2013.06.18 11:22:34 LOG4[272:2156]: CERT: Certificate not found in local repository 2013.06.18 11:22:34 LOG4[272:2156]: Certificate check failed: depth=0, /C=zzz 2013.06.18 11:22:34 LOG7[272:2156]: SSL alert (write): fatal: certificate unknown 2013.06.18 11:22:34 LOG3[272:2156]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2013.06.18 11:22:34 LOG5[272:2156]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2013.06.18 11:22:34 LOG7[272:2156]: Remote socket (FD=396) closed 2013.06.18 11:22:34 LOG7[272:2156]: Local socket (FD=376) closed 2013.06.18 11:22:34 LOG7[272:2156]: Service [SZX] finished (0 left)
Hi, Looks like you have verify = 3 (verify peer certificate with locally file) and can't find the peer certificate to verify against. Are you sure that the CAfile contains the peer certificate too, not only the CAs? If you use verify = 2 (it just verify the certificate against CA) and doesn't give errors there you have the proof. I may be wrong but looks like that :) Regards.
On 2013-06-19 14:17, Roman Tuchyna wrote:
I'm trying to create SSl tunnel between my server (Win 2008 R2, 4.56 version of stunnel) and remote application server - I have merged both root and sub certificate into 1 file and it looks like it can verify them and accept them as well, but then it tries to verify it at depth=0 and says certificate not found in local repository. Am I missing anything here ? I didn't test it myself, but some users reported that OpenSSL requires specific order or certificates and an empty line between them.
BTW: Are you sure that CAfile contains the certificate of *your peer* (the remote application server)? Mike
participants (3)
-
Javier -
Michal Trojnara -
Roman Tuchyna