al_9x@yahoo.com wrote:
- Are the certificates restricted to the host(s) specified in them
(CN, alt name)? Or will they validate any site that happens to return them?
Hostname checks against distinguished name and alternative name fields are not supported by stunnel. They would would not be really useful, as "connect" targets are statically defined in stunnel.conf. It's easier and more secure to assign separate CAfile to each service section of stunnel.conf (see an example below).
- I think some host restriction makes sense, but rather than use
what's inside the cert, it would be good to allow the user to specify the host name(s) which a given cert should be restricted to.
client = yes verify = 3 (or 4)
[section1] accept = port1 connect = target1 CAfile = target1.pem
[section2] accept = port2 connect = target2 CAfile = target2.pem
- The certificates are only used for server verification, they
would never be treated as CA, right?
Yes, OpenSSL checks certificate purpose specified in X.509 v3 basicConstraints.
See openssl-1.0.0e/crypto/x509v3/v3_purp.c file for the implementation.
Mike