What version of SSL is carbon-c-relay using

[favrecr]

Folks, What version of SSL is carbon-c-relay using when configured as follows:

10.1.1.12:3003
    type linemode transport plain ssl /etc/ssl/certs/serverPOC.pem

;

I am getting this error in the carbon-c-relay.log

failed to connect ssl stream: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

But connecting with openssl works fine openssl s_client --connect 10.1.1.12:3003 -cert /etc/ssl/certs/stunnel.pem CONNECTED(00000005) Can't use SSL_get_servername

I am suspecting that my server just support tlsv1.2 and it is been receiving another.

[mcpherrinm]

This is discussed/resolved in https://github.com/square/ghostunnel/issues/254

It's not a TLS version issue, the "sslv3" is a distraction. The real issue is "alert bad certificate".

[grobian]

Right, ssl is highly distractive here. I'm assuming a cert is being used to authenticate here. This is missing from c-relay, it only validates at the moment.

[mcpherrinm]

Yeah, I've told favrecr how to disable that in the other ticket 👍

[favrecr]

hello folks, thanks for the help, so I have a much better picture now of this, currently: 1- our ghostunnel is working properly, opens up the SSL endpoint and we are able to connect to it with openssl. 2- carbon-c-relay with this configuration is trying to reach it: 10.209.114.X:3003 type linemode transport plain ssl /etc/ssl/certs/server10.209.114.X.pem ; That is signed by a known auth, one could list the contents with openssl x509, the only problem is that we see in the logs from carbon-c-relay:

failed to connect ssl stream: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Is there any way that I could specify to carbon-c-relay to trust the certificate?

Thanks for the help @mcpherrinm @grobian

[grobian]

You need the signer of the server cert in your standard chain, or give it using the -C option to c-relay.