1

I am trying to setup stunnel with certificate verification. I have put verify = 1 in stunnel.conf.

I generated a certificate for STunnel server and client and signed with CA (CA setup in lab) :

openssl req -out stunnel.csr -new -newkey rsa:2048 -nodes -keyout stunnel.key
scp stunnel.csr root@<CA IP Address>:/etc/pki/CA/csr/
openssl ca -extensions v3_ca -days 3650 -in csr/stunnel.csr -out certs/stunnel.pem
cat stunnel.key >> stunnel.pem

But when I use this cert I get error:

2014.05.07 17:01:56 LOG4[8343:140373923505920]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: /C=US/ST=California/O=Org/OU=OrgUnit TLM/CN=CAHost
2014.05.07 17:01:56 LOG3[8343:140373923505920]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2014.05.07 17:01:56 LOG5[8343:140373923505920]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

What is going wrong here ?

jww
  • 97,681
  • 90
  • 411
  • 885
user1191140
  • 1,559
  • 3
  • 18
  • 37
  • The `unable to get issuer certificate` means something does not trust the CA. I don't know what generated the log file, so its not clear to me what is not trusting your private CA. – jww May 07 '14 at 20:05
  • 1
    You can test your new cert with `openssl s_client -connect : -CAfile `. If it finishes with `Verify OK (0)`, then everything is working properly. – jww May 07 '14 at 20:07

1 Answers1

-3

What is going wrong here ?

The error is 0x140890B2:

SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

The error string from OpenSSL is "no certificate returned".

If you supply the client certificate, then the problem will likely go away.

jww
  • 97,681
  • 90
  • 411
  • 885