SSLVPN Kiosk Mode Client fails on stunnel connection after applying a new certificate

  • 7008465
  • 27-Apr-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Service Pack 3
Novell Access Manager 3.1 SSLVPN Server

Situation

  • SSLVPN Kiosk Mode Client fails on stunnel connection after applying a new certificate
  • The stunnel log includes the following error message

    SSL state (connect): SSLv3 read server hello A
    VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=DE/OU=Domain Control Validated/O=*.domain.de/CN=*.domain.de
    SSL alert (write): fatal: bad certificate
    SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Resolution

This issue has been addressed to engineering.

As a workaround, keep the default test-stunnel certificate in the stunnel certificate store. This certificate does not go out the wire for packet encryption and the possibility of compromising encrypted packets is small.

Additional Information

The new certificate assigned to the SSLVPN server includes an Intermediate Trusted Root Certificate in the trust chain. Looking into a LAN trace shows that the SSLVPN server stunnel component does not send the complete trust-chain down the the stunnel client during the SSL handshake. Therefore the stunnel client is not able to validate the SSLVPN server certificate causing bad certificate error.