'[stunnel-users] Cannot connect using PKI'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       stunnel-users
Subject:    [stunnel-users] Cannot connect using PKI
From:       Greg Sanders <greg () yesenergy ! com>
Date:       2020-12-09 13:46:16
Message-ID: CAGRMJ8wSRNmEaFb9vnoOGE-nubr1D5COQ9333kssf1VUtJkwmg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello, we have been connecting to a test API site where we specified a PEM
cert saved locally, and succeeded. I believe this is the 'certificate
pinning' approach. Now we are transitioning to the production API, where
the tech documentation says there is no certificate needed, "the
certificate is sent during the handshake". So a PKI client connection, I
guess. But we can't connect. Any suggestions would be appreciated.  Our
stunnel config is below. Thanks.
STUNNEL CONFIG FILE:
debug = 7
output = stunnel.log
sslVersion = all
options = NO_SSLv2
ciphers =
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM
[ice_client]
client = yes
accept = 127.0.0.1:8080
connect = 63.nnn.nnn.207:443
checkHost = *.xxxxx.com
CAfile = ca-certs.pem
; CAPath = certs
verifyChain = yes

-- 
Greg Sanders
Database Architect
Yes Energy

[Attachment #5 (text/html)]

<div dir="ltr">Hello, we have been connecting to a test API site where we specified a \
PEM cert saved locally, and succeeded. I believe this is  the &#39;certificate \
pinning&#39; approach. Now we are transitioning to the production API, where the tech \
documentation says there is no certificate needed,  &quot;the certificate is sent \
during the handshake&quot;. So a PKI client connection, I guess. But we can&#39;t \
connect. Any suggestions would be appreciated.   Our stunnel config is below. \
Thanks.<br>STUNNEL CONFIG FILE:<br>debug = 7<br>output = stunnel.log<br>sslVersion = \
all<br>options = NO_SSLv2<br>ciphers = \
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM<br>[ice_client]<br>client \
= yes<br>accept = <a href="http://127.0.0.1:8080">127.0.0.1:8080</a><br>connect = \
63.nnn.nnn.207:443<br>checkHost = *.<a \
href="http://xxxxx.com">xxxxx.com</a><br>CAfile = ca-certs.pem <br>; CAPath = \
certs<br>verifyChain = yes<br><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Greg \
Sanders</div><div>Database Architect</div><div>Yes Energy</div></div></div></div>



_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic