stubby: TLS verification fails on self-signed certificates with LibreSSL 2.7, pass with OpenSSL

Hello, Stubby is able to run in strict mode with LibreSSL since 2.7 release. This version supports now OpenSSL 1.0.2 and 1.1 APIs. It works with servers that have a certificate signed by an authority. However, TLS verification fails on self-signed certificates. Here is a debug log with Lorraine Data Network server which have a self-signed certificate:

[12:04:55.862914] STUBBY: 80.67.188.188                            : Conn opened: TLS - Strict Profile
[12:04:55.918753] STUBBY: 80.67.188.188                            : Verify failed: TLS - *Failure* -  (18) "self signed certificate"
[12:04:55.918834] STUBBY: 80.67.188.188                            : Conn closed: TLS - *Failure*
[12:04:55.918845] STUBBY:    *FAILURE* no valid transports or upstreams available!
[12:04:55.918918] STUBBY: 80.67.188.188                            : Conn closed: TLS - Resps=     0, Timeouts  =     0, Curr_auth = Failed, Keepalive(ms)=     0
[12:04:55.918930] STUBBY: 80.67.188.188                            : Upstream   : TLS - Resps=     0, Timeouts  =     0, Best_auth = Failed
[12:04:55.918936] STUBBY: 80.67.188.188                            : Upstream   : TLS - Conns=     0, Conn_fails=     1, Conn_shuts=      0, Backoffs     =     0

About this issue

  • Original URL
  • State: open
  • Created 6 years ago
  • Comments: 38 (34 by maintainers)

Most upvoted comments

But self-signed certificates do not seem to work currently with OpenSSL 1.1.0. If I use only LDN servers, I get this without setting tls_auth_name: Verify failed : TLS - *Failure* - (18) "self signed certificate".

Only when setting tls_auth_name (which is 80.67.188.188 in this case apparently, and not ns0.ldn-fai.net) did I got it working.

+1
ArchangeGabriel on Apr 20, 2018
Read more comments on GitHub
← stubby: TLS failure for Cloudflare/TLS3
gauge: invalid memory address or nil pointer when running with --tags →