That is, the location of _your_ keys and certificate is given by cert= and key=. The location of the _CA_ certificate (verify level=2)
Ludolf,
Thanks for the explanation! I am slowly starting to understand (I think).
So, what exactly will be looked for in the CAfile when verify is set to 2? While I've been pondering this and testing things, I went ahead and set myself up as a CA so that I could sign my own cert, to test that angle. I've gotten that done, signed the cert, and this new signed cert and key work just fine at verify=1 or lower. So what should be in CAfile when verify=2? What is being looked for in that file when a connection attempt is made?
You mentioned above that CAfile would contain the location of the CA certificate, but I've tried the new CA's public pem, its private key, the server's public certs, and various combinations of those in the file referenced in CAfile (since I am not sure what exactly to put there) :), and while most of these changes would actually allow stunnel to start, connecting with a client would fail and I'd get this in the logs:
SSL alert (read): warning: no certificate SSL alert (write): fatal: handshake failure SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
So I guess I've put the wrong thing in the file referenced by CAfile, but I'm still not sure I understand what it's looking for...? Dave