Closed favrecr closed 5 years ago
This is discussed/resolved in https://github.com/square/ghostunnel/issues/254
It's not a TLS version issue, the "sslv3" is a distraction. The real issue is "alert bad certificate".
Right, ssl is highly distractive here. I'm assuming a cert is being used to authenticate here. This is missing from c-relay, it only validates at the moment.
Yeah, I've told favrecr how to disable that in the other ticket 👍
hello folks, thanks for the help, so I have a much better picture now of this, currently: 1- our ghostunnel is working properly, opens up the SSL endpoint and we are able to connect to it with openssl. 2- carbon-c-relay with this configuration is trying to reach it: 10.209.114.X:3003 type linemode transport plain ssl /etc/ssl/certs/server10.209.114.X.pem ; That is signed by a known auth, one could list the contents with openssl x509, the only problem is that we see in the logs from carbon-c-relay:
failed to connect ssl stream: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Is there any way that I could specify to carbon-c-relay to trust the certificate?
Thanks for the help @mcpherrinm @grobian
You need the signer of the server cert in your standard chain, or give it using the -C
option to c-relay.
Folks, What version of SSL is carbon-c-relay using when configured as follows:
;
I am getting this error in the carbon-c-relay.log
But connecting with openssl works fine openssl s_client --connect 10.1.1.12:3003 -cert /etc/ssl/certs/stunnel.pem CONNECTED(00000005) Can't use SSL_get_servername
I am suspecting that my server just support tlsv1.2 and it is been receiving another.