I've set up a test of stunnel with the latest stunnel and latest openssl, and if I set "verify=0" or "verify=1" I can get it to work (I'm tunneling a pop3 session), but if I set it any higher (to 2 or 3) it won't work for me.
Now, I'm not sure which level is "necessary" because in stunnel.conf I read: ------------------------- ; authentication stuff needs to be configured to prevent MITM attacks ; it is not enabled by default! ;verify = 2 ------------------------- ... which sounds like verify defaults to 0. But is a verify level of 1 enough to solve the man-in-the-middle problem? It seems like it would not be (since level 1 will allow absence of a certificate), but I am not sure. I guess my questions boil down to:
1) What are the necessary settings for "authentication stuff" to prevent the MITM attack vector mentioned in stunnel.conf? 2) What is the proper way to set up (self-signed) certs to prevent such an attack? Can a self-signed cert be used at a verify level of 2 or 3?
Dave