<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div style="" class="">Hello,</div><div style="" class=""><br style="" class=""></div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">In the stunnel documentation, I see the following:</div><dl style="" class=""><dt style="" class=""><strong style="" class=""><a href="" style="" name="level_4" class="">level 4</a></strong></dt><dd style="" class="">
<div style="" class="">Ignore CA chain and only verify peer certificate.</div></dd></dl><div style="" class="">My interpretation of level 4 was that only the server certificate had to be installed on the client in order for the cert verification to pass. No issuer/CA certificates were needed. However, when I do this, the connection fails. I see this following in the logs with verify=4:</div><div style="" class=""><br style="" class=""></div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">2014.08.12 21:17:57 LOG7[26768]: Starting certificate verification: depth=0, subject=/C=US/CN=a.b.com<br style="" class="">2014.08.12 21:17:57 LOG4[26768]: CERT: Verification error: unable to get local issuer certificate<br style="" class="">2014.08.12 21:17:57 LOG4[26768]: Certificate check failed: depth=0,
subject=/C=US/CN=a.b.com<br style="" class="">2014.08.12 21:17:57 LOG7[26768]: SSL alert (write): fatal: unknown CA<br style="" class="">2014.08.12 21:17:57 LOG3[26768]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br style="" class=""></div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">My config file contains the following:</div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">verify = 4</div><div class=""
style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">CAfile = /opt/stunnel/certs/clients.pem<br style="" class="">chroot = /opt/stunnel<br style="" class="">setuid = stunnel<br style="" class="">setgid = stunnel<br style="" class="">pid = /run/stunnel.pid<br style="" class="">debug = 7<br style="" class="">output = stunnel.log</div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">options = NO_SSLv2</div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">cert = /opt/stunnel/certs/server.pem<br style="" class="">key =
/opt/stunnel/certs/server.pem<br style="" class=""><br style="" class=""></div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">If I append the issuer certificate to the CAfile, after the peer certificate, then the connection is successful with verify=4.</div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br style="" class=""></div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">Is this expected behavior? Is there a verify level that works as I described above: only the peer certificate needs to be present, no CA/issuer
certificates at all?</div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br style="" class=""></div><div class="" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">Thank you for your help.<br style="" class=""></div></div></body></html>