[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: Re: [stunnel-users] How to install CA at client side?
From: "Josealf.rm" <josealf () rocketmail ! com>
Date: 2015-09-15 11:15:05
Message-ID: 381E2FFA-0FA6-4B47-9522-B5BE6B21BF03 () rocketmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Are you sure the bundle has the entire certificate chain for the CA?
I usually use the CApath parameter. It requires each certificate in it's own file \
with the hashed name as explained in the howto.
Regards
Jose
> El 15/9/2015, a las 2:32, MingHeng Wang <ifoolb@gmail.com> escribió:
>
> Hello Stunnel maintainers,
> I try to use real certificates of my web server for stunnel. I combine private key, \
> my site's cert, and ca-bundle into a pem file, and it works fine when the client \
> doesn't verify any certificate. Then I specify CAfile which is the ca bundle file \
> from my registrar, at client side and turn on verification and always get errors \
> below, whatever level 2 or 3:
> Sep 15 14:53:28 y400 stunnel[11666]: LOG5[11]: Service [http-proxy3] connected \
> remote server from 192.168.1.104:45746
> Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: CERT: Pre-verification error: unable \
> to get issuer certificate
> Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: Rejected by CERT at depth=2:
>
> However, level 4 works. I want to prevent man-in-middle-attack, so can level 4 \
> achieve that regarding to my current setup? Both server and client side use stunnel \
> 5.17 which are fairly recent. _______________________________________________
> stunnel-users mailing list
> stunnel-users@stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Are you sure the bundle has the entire \
certificate chain for the CA?<br><br>I usually use the CApath parameter. It requires \
each certificate in it's own file with the hashed name as explained in the \
howto.</div><div><br></div><div>Regards</div><div>Jose</div><div><br>El 15/9/2015, a \
las 2:32, MingHeng Wang <<a \
href="mailto:ifoolb@gmail.com">ifoolb@gmail.com</a>> \
escribió:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div><div>Hello \
Stunnel maintainers,<br></div>I try to use real certificates of my web server for \
stunnel. I combine private key, my site's cert, and ca-bundle into a pem file, and it \
works fine when the client doesn't verify any certificate. Then I specify CAfile \
which is the ca bundle file from my registrar, at client side and turn on \
verification and always get errors below, whatever level 2 or 3:<br>Sep 15 14:53:28 \
y400 stunnel[11666]: LOG5[11]: Service [http-proxy3] connected remote server from <a \
href="http://192.168.1.104:45746">192.168.1.104:45746</a><br>Sep 15 14:53:28 y400 \
stunnel[11666]: LOG4[11]: CERT: Pre-verification error: unable to get issuer \
certificate<br>Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: Rejected by CERT at \
depth=2:<br></div><div><br>However, level 4 works. I want to prevent \
man-in-middle-attack, so can level 4 achieve that regarding to my current \
setup?<br>Both server and client side use stunnel 5.17 which are fairly recent.<br> \
</div></div> </div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span>stunnel-users \
mailing list</span><br><span><a \
href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a></span><br><span><a \
href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users">https://www.stun \
nel.org/cgi-bin/mailman/listinfo/stunnel-users</a></span><br></div></blockquote></body></html>
[Attachment #6 (text/plain)]
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic