stunnel No certificate returned unknown CA

Question

I have 2x stunnels linux based, 1 server, 1 client. What I am trying to do is to use a stunnel client and with verify 3 it authenticates the user based on the certificate.

Here are the config files of each:

Client:

cert = /stunnel/client_Access_stunnel.pem
key = /stunnel/client_Access_stunnel.pem
CAfile = /stunnel/client_Access_stunnel.pem
CApath = /stunnel/cacerts/

flips=no
pid    = /var/run/stunnel-tcap.pid

; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1

output = /stunnel/stunnel.log
client = yes
;verify = 3
debug = 5
[tcap]
accept = 0.0.0.0:3701
connect = 192.168.1.4:3700

Server:

pid = /var/run/stunnel/server.pid

cert = /opt/quasar/cert/certs/stunnels/server.pem
key = /opt/quasar/cert/certs/stunnels/server.pem

CApath = /opt/certs/stunnels/cacerts/

; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1

; Security level
verify = 2

; Uncomment for troubleshooting purposes
debug = 7


; Log file path
output = /opt/stunnels/stunnel.log

[stunnel1]
accept = 0.0.0.0:3700
connect = 127.0.0.1:3701

The error is:

Client:

2016.11.16 12:55:10 LOG7[77]: Remote descriptor (FD=11) initialized
2016.11.16 12:55:10 LOG6[77]: SNI: sending servername: 192.168.104.74
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): before/connect initialization
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): SSLv2/v3 write client hello A
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG7[77]: SSL alert (read): fatal: unknown CA
2016.11.16 12:55:10 LOG3[77]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2016.11.16 12:55:10 LOG5[77]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.11.16 12:55:10 LOG7[77]: Deallocating application specific data for addr index

Server:

2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): before/accept initialization
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 read client hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write server hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate request A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 flush data
2016.11.16 11:55:17 LOG4[36384:140097622492928]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=UK/ST=London/L=London/O=org/OU=OP/CN=client/[email protected]
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL alert (write): fatal: unknown CA
2016.11.16 11:55:17 LOG3[36384:140097622492928]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2016.11.16 11:55:17 LOG5[36384:140097622492928]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

Please ignore the time-stamps. same error different times.

• I have added the CA certificate to the client_Access_stunnel.pem, unchanged.
• I have added all CA's certs in to CApath
• cert was signed by xca locally managed

Answer 1

CApath is used with the verifyChain or verifyPeer options, I don't see either of those options set anywhere. Also note "the certificates in this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the cert." (taken from stunnel manual)

What happens when you test the certificate with the following:

openssl verify -CApath /opt/certs/stunnels/cacerts/ server-certificate-file