Ssl_ctx_use_certificate

Ssl_ctx_use_certificate

#include 
Ssl_ctx_use_certificate_chain_file Failed
Ssl_ctx_use_certificate_asn1
Ssl_ctx_use_certificate_chain_file
Nginx won't reload: SSLCTXusecertificatechainfile failed. Ask Question Asked 4 years, 1 month ago. Active 4 years, 1 month ago. Viewed 2k times 0. 'SSLCTXusecertificate:ca md too weak' While I could ask clients to get a better CA certificate, it takes some of them a long time to do so. I was wondering if there's a way I could compile/configure the OpenSSL on my server to accept those certificates after all.
int
SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
int
SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
int
SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
int
SSL_use_certificate(SSL *ssl, X509 *x);
int
SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
int
SSL_use_certificate_chain_file(SSL *ssl, const char *file);
int
SSL_use_certificate_file(SSL *ssl, const char *file, int type);
int
SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
int
SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len);
int
SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
int
SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, long len);
int
SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
int
SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
int
SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
int
SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
int
SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
int
SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, unsigned char *d, long len);
int
SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
int
SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
int
SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len);
int
SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
int
SSL_CTX_check_private_key(const SSL_CTX *ctx);
int
SSL_check_private_key(const SSL *ssl);
Hello. I am getting the following error when I try to run stunnel:
[root@doadmzqas stunnel]# stunnel
[ ] Clients allowed=31999
[.] stunnel 5.17 on powerpc-ibm-aix5.2.0.0 platform
[.] Compiled/running with OpenSSL 1.0.1s 1 Mar 2016
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*_Errno())
Ssl_ctx_use_certificate_chain_file Failed[.] Reading configuration from file /opt/freeware/etc/stunnel/stunnel.conf

[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] Snagged 64 random bytes from /home/root/.rnd
[ ] Wrote 1024 new random bytes to /home/root/.rnd
[ ] PRNG seeded successfully
[ ] Initializing service [sapdp3202]
[ ] Loading certificate from file: /opt/freeware/etc/stunnel/stunnel.pem
[!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
[!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory
[!] Service [sapdp3202]: Failed to initialize SSL context
The version is 5.17 as you can see above. My config file looks like this:
; Log file (enable for troubleshooting)
output = /var/log/stunnel.log
; SSL Certificate and key files
cert = /opt/freeware/etc/stunnel/stunnel.pem
key = /opt/freeware/etc/stunnel/stunnel.key
; Restrict to FIPS compliant ciphers only ciphers = FIPS
; Force the SSL version to TLSv1 only
sslVersion = TLSv1
; The cipher list and SSL version restrictions above should make us ; _de_facto_ FIPS compliant; our OpenSSL library is *not* FIPS ; compliant, so
this cannot be set to 'yes'
fips = no
[sapdp3202]
client = yes
Ssl_ctx_use_certificate_asn1accept = 127.0.0.1:3202
connect = doaprdssl.dot.com.gov:4709
Ssl_ctx_use_certificate_chain_fileThe OS is AIX version 7. Does anybody have any idea what this means?
Thanks in advance. 