________________________________ Da: Pulcini Maddalena Inviato: gio 03/11/2005 8.58 A: stunnel Oggetto: I: error=certificate signature failure ________________________________ Da: Pulcini Maddalena Inviato: mer 02/11/2005 17.14 A: stunnel Oggetto: error=certificate signature failure Hi All, someone could help me to understand what happens and what my client needs to verify the peer? Thanks&Regards I configure stunnel in this way: stunnel.conf ================================ client = yes debug=7 cert = client69f.pem key = chiave69.pem cafile=cacert.pem verify = 1 capath= . [telnet] accept = 23 connect = 10.36.3.191:4433 ============================ I put all the files configured above in the same directory where stunnel-4.07.exe runs; I have a machine in which ssl server runs with a certificate signed by the same CA (cacert.pem). The log file is : ====================================== 2005.11.02 16:33:47 LOG5[1456:1084]: stunnel 4.07 on x86-pc-mingw32-gnu WIN32+IPv4 with OpenSSL 0.9.7f 22 Mar 2005 2005.11.02 16:33:47 LOG7[1456:1504]: Snagged 64 random bytes from C:/.rnd 2005.11.02 16:33:47 LOG7[1456:1504]: Wrote 1024 new random bytes to C:/.rnd 2005.11.02 16:33:47 LOG7[1456:1504]: RAND_status claims sufficient entropy for the PRNG 2005.11.02 16:33:47 LOG6[1456:1504]: PRNG seeded successfully 2005.11.02 16:33:47 LOG7[1456:1504]: Certificate: client69f.pem 2005.11.02 16:33:47 LOG7[1456:1504]: Key file: chiave69.pem 2005.11.02 16:33:47 LOG7[1456:1504]: Loaded verify certificates from cacert.pem 2005.11.02 16:33:47 LOG7[1456:1504]: Verify directory set to . 2005.11.02 16:33:47 LOG5[1456:1504]: No limit detected for the number of clients 2005.11.02 16:33:47 LOG7[1456:1504]: FD 156 in non-blocking mode 2005.11.02 16:33:47 LOG7[1456:1504]: SO_REUSEADDR option set on accept socket 2005.11.02 16:33:47 LOG7[1456:1504]: telnet bound to 0.0.0.0:23 2005.11.02 16:34:14 LOG7[1456:1504]: telnet accepted FD=168 from 127.0.0.1:2501 2005.11.02 16:34:14 LOG7[1456:1504]: FD 168 in non-blocking mode 2005.11.02 16:34:14 LOG7[1456:1504]: Creating a new thread 2005.11.02 16:34:14 LOG7[1456:1504]: New thread created 2005.11.02 16:34:14 LOG7[1456:1320]: telnet started 2005.11.02 16:34:14 LOG5[1456:1320]: telnet connected from 127.0.0.1:2501 2005.11.02 16:34:14 LOG7[1456:1320]: FD 192 in non-blocking mode 2005.11.02 16:34:14 LOG7[1456:1320]: telnet connecting 10.36.3.191:4433 2005.11.02 16:34:14 LOG7[1456:1320]: connect_wait: waiting 10 seconds 2005.11.02 16:34:14 LOG7[1456:1320]: connect_wait: connected 2005.11.02 16:34:14 LOG7[1456:1320]: Remote FD=192 initialized 2005.11.02 16:34:14 LOG7[1456:1320]: SSL state (connect): before/connect initialization 2005.11.02 16:34:14 LOG7[1456:1320]: SSL state (connect): SSLv3 write client hello A 2005.11.02 16:34:14 LOG7[1456:1320]: SSL state (connect): SSLv3 read server hello A 2005.11.02 16:34:14 LOG4[1456:1320]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=Siena/O=amtec/OU=elsag/CN=CERTIFICATION AUTHORITY 2.0/description=CA CERTIFICATE/L=Abbadia San Salvatore 2005.11.02 16:34:14 LOG7[1456:1320]: SSL alert (write): fatal: handshake failure 2005.11.02 16:34:14 LOG3[1456:1320]: error stack: 14090086 : error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.11.02 16:34:14 LOG3[1456:1320]: error stack: D089006 : error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib 2005.11.02 16:34:14 LOG3[1456:1320]: SSL_connect: 4077068: error:04077068:rsa routines:RSA_verify:bad signature 2005.11.02 16:34:14 LOG7[1456:1320]: telnet finished (0 left)