Hi Ender,
The AIA extension is indeed currently ignored by stunnel. This feature is on my TODO list. I hope to find time to implement it. I cannot just apply the patch, as it doesn't have a license. I also don't accept copyleft (e.g. GPL) patches.
The configuration you described seems to be correct.
Mike
On 2014-01-20 14:22, Ender Erel wrote:
I am sorry, it seems I forgot the link to the e-mail I mentioned.
https://www.stunnel.org/pipermail/stunnel-users/2008-July/002068.html
Any ideas?
Regards,
Ender Erel
*From:*stunnel-users [mailto:stunnel-users-bounces@stunnel.org] *On Behalf Of *Ender Erel *Sent:* Friday, January 17, 2014 3:31 PM *To:* stunnel-users@stunnel.org *Subject:* [stunnel-users] OCSP Responders in AIA extension
Hi All,
Does stunnel check the OCSP responders found in a certificate's AIA field? I am asking this because in the following e-mail from back 2008, the sender mentions a patch that implements this functionality. The patch is included with the mail but I don't think it is included in the later versions of stunnel. Does this mean OCSP responders inside a receied certificate are ignored?
I also want to ask another thing. When using verify = 3 in client mode, which file is used to check the received certificate? Is it the CAfile?
If so, would it work like this:
I manually opened a connection to a server outside stunnel,
downloaded the server's certificate, and closed the connection.
I saved this certificate to a file, and wrote the path of
this file in the stunnel configuration file (CAfile = /mycerts/tmpcert.pem,verify=3).
I started stunnel and initiated a connection to the server.
Would the connection be successful? Would it be the right way to use verify=3?
Kind Regards,
Ender Erel
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users