# stunnel fails certificate validation after openssl update

## dr.nil

Hi,

I emerged the latest openssl stable update yesterday (dev-libs/openssl-1.0.0a-r3) and now my stunnel fails with

 *Quote:*   

> 
> 
> Oct 13 08:50:01 xanthippe stunnel: LOG3[7126:3074582832]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> 

 

I must admit that I mindlessly accepted the updated openssl.cnf but I'm not aware either that I made changes to it before.

I'm thankful for any hint where to even start diagnosing this ...

-dirk

----------

## malern

I've had the same problem with various programs (wget, subversion, openldap) after updating openssl. I've read that some people have solved the problem by running

```
c_rehash /etc/ssl/certs
```

But that didn't work for me. The only way I found to fix it was to re-emerge the broken packages so they link against the new openssl libs. So I'd recommend re-emerging stunnel.

----------

## dr.nil

```
c_rehash /etc/ssl/certs
```

 does not work for me either  :Sad: 

I ran revdep-rebuild after the openssl update and I'm pretty sure stunnel was emerged as result of this. Just to be sure I ran emerge stunnel again now, still the same problem.

----------

## malern

Try running

```
ldd /usr/bin/stunnel
```

and check what libraries it's actually linking against.

----------

## dr.nil

As I said ... stunnel does not fail because of library mismatch:

```

# ldd /usr/bin/stunnel 

        linux-gate.so.1 =>  (0xb780a000)

        libutil.so.1 => /lib/libutil.so.1 (0xb77fd000)

        libpthread.so.0 => /lib/libpthread.so.0 (0xb77e4000)

        libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0xb7796000)

        libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0xb763e000)

        libc.so.6 => /lib/libc.so.6 (0xb74f7000)

        /lib/ld-linux.so.2 (0xb780b000)

        libdl.so.2 => /lib/libdl.so.2 (0xb74f3000)

        libz.so.1 => /lib/libz.so.1 (0xb74df000)

```

----------

## dr.nil

After some googling I found the solution. I added 

```

verify=2

```

to my stunnel.conf

----------

