[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: [stunnel-users] Re: Getting error "CERT: Pre-verification error: self signed certificate" [solved; t
From: Christopher Schultz <chris () christopherschultz ! net>
Date: 2022-05-14 19:59:04
Message-ID: 14a528fb-16e8-4404-66fe-56f7abb05239 () christopherschultz ! net
[Download RAW message or body]
All,
Okay, this turned out to be a "moving too fast" mistake on my part. If I
had been reading the signs, I would have noticed that:
1. With the old certificate in the CAfile, I got "expired cert" error
when the client attempted to connect
2. With the new certificate in the CAfile (but not the old one), I got
"CERT: Pre-verification error: self signed certificate"
Stupid me: the client was still sending the old cert. I confirmed with a
tcpdump+Wireshark+export dance.
A couple of things:
1. This error message is wildly misleading. The appropriate error
message here should have been "certificate is not trusted". Can we maybe
get a patch that provides the operator with a clear error message in
this case?
2. When debug=7 (its most chatty), the presented client's certificate is
not dumped to the log even though it's pretty important information to
debug a failing connection. Can we add that to the debug(7) logging
output? I happen to have had tcpdump and Wireshark already installed in
the necessary locations, and the expertise to know how to use them
(except I had to Google for how to export the cert from the dump to a
file to read its contents), but (a) not everyone has that capability and
(b) it's a total PITA when it would be trivial to dump the PEM
certificate to the log.
Thanks!
-chris
On 5/14/22 08:04, Christopher Schultz wrote:
> All,
>
> I'm running stunnel 4.56 as a server on Linux, as I have been doing for
> a while. I require clients to connect using their own client certs and
> yesterday one of them expired. The client generated a new certificate
> and sent it to me to install, and I'm getting the error in the subject.
>
> Version details:
> $ sudo stunnel -help
> stunnel 4.56 on x86_64-koji-linux-gnu platform
> Compiled/running with OpenSSL 1.0.2k-fips 26 Jan 2017
> Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
>
> I have set verify=4 because I expect to place the exact certificate for
> every client into my CAFile.
>
> This has been working for years, and when I connect using openssl
> s_client, I can see which client certificates the server advertises it
> will allow to connect, and they reflect what I expect.
>
> The server certificate is also self-signed, so I copied that into the
> CAFile and I'm able to connect with openssl s_client using that
> certificate. So I think the problem can't be that the client's
> certificate is self-signed.
>
> So, to recap:
>
> 1. stunnel in server mode
> 2. CAFile points to a collection of PEM certs
> 3. verify=4
> 4. I can connect with my own valid, trusted, self-signed certificate
> 5. Client cannot connect with their valid, trusted, self-signed cert
>
> Any ideas?
>
> (Note: the client DOES appear to be using their new certificate, though
> I can only see the subject text which could be the same, yet with a
> different actual certificate.)
>
> Here is the debug(7) output from an attempted connection:
>
> : Starting certificate verification: depth=0, [subject]
> : CERT: Pre-verification error: self signed certificate
> : Certificate check failed: depth=0, [subject]
> : SSL alert (write): fatal: unknown CA
> : SSL_accept: 14089086: error:14089086:SSL
> routines:ssl3_get_client_certificate:certificate verify failed
> : Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
>
> Thanks,
> -chris
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic