Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
stunnel fails certificate validation after openssl update
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dr.nil
n00b
n00b


Joined: 18 Jul 2007
Posts: 47

PostPosted: Wed Oct 13, 2010 7:06 am    Post subject: stunnel fails certificate validation after openssl update Reply with quote

Hi,

I emerged the latest openssl stable update yesterday (dev-libs/openssl-1.0.0a-r3) and now my stunnel fails with

Quote:

Oct 13 08:50:01 xanthippe stunnel: LOG3[7126:3074582832]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


I must admit that I mindlessly accepted the updated openssl.cnf but I'm not aware either that I made changes to it before.

I'm thankful for any hint where to even start diagnosing this ...

-dirk
Back to top
View user's profile Send private message
malern
Apprentice
Apprentice


Joined: 19 Oct 2006
Posts: 170

PostPosted: Wed Oct 13, 2010 8:15 am    Post subject: Reply with quote

I've had the same problem with various programs (wget, subversion, openldap) after updating openssl. I've read that some people have solved the problem by running
Code:
c_rehash /etc/ssl/certs


But that didn't work for me. The only way I found to fix it was to re-emerge the broken packages so they link against the new openssl libs. So I'd recommend re-emerging stunnel.
Back to top
View user's profile Send private message
dr.nil
n00b
n00b


Joined: 18 Jul 2007
Posts: 47

PostPosted: Wed Oct 13, 2010 9:36 am    Post subject: Reply with quote

Code:
c_rehash /etc/ssl/certs
does not work for me either :-(

I ran revdep-rebuild after the openssl update and I'm pretty sure stunnel was emerged as result of this. Just to be sure I ran emerge stunnel again now, still the same problem.
Back to top
View user's profile Send private message
malern
Apprentice
Apprentice


Joined: 19 Oct 2006
Posts: 170

PostPosted: Wed Oct 13, 2010 9:55 am    Post subject: Reply with quote

Try running
Code:
ldd /usr/bin/stunnel

and check what libraries it's actually linking against.
Back to top
View user's profile Send private message
dr.nil
n00b
n00b


Joined: 18 Jul 2007
Posts: 47

PostPosted: Wed Oct 13, 2010 10:35 am    Post subject: Reply with quote

As I said ... stunnel does not fail because of library mismatch:
Code:

# ldd /usr/bin/stunnel
        linux-gate.so.1 =>  (0xb780a000)
        libutil.so.1 => /lib/libutil.so.1 (0xb77fd000)
        libpthread.so.0 => /lib/libpthread.so.0 (0xb77e4000)
        libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0xb7796000)
        libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0xb763e000)
        libc.so.6 => /lib/libc.so.6 (0xb74f7000)
        /lib/ld-linux.so.2 (0xb780b000)
        libdl.so.2 => /lib/libdl.so.2 (0xb74f3000)
        libz.so.1 => /lib/libz.so.1 (0xb74df000)
Back to top
View user's profile Send private message
dr.nil
n00b
n00b


Joined: 18 Jul 2007
Posts: 47

PostPosted: Wed Oct 13, 2010 12:44 pm    Post subject: Reply with quote

After some googling I found the solution. I added
Code:

verify=2

to my stunnel.conf
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum