On Wed, 2011-02-09 18:13:30 -0600, Dave wrote:
[..]
1) What are the necessary settings for "authentication stuff" to prevent the MITM attack vector mentioned in stunnel.conf?
As far as I understood the whole thing, you need level two or three to force the peer to use a certificate at all.
2) What is the proper way to set up (self-signed) certs to prevent such an attack? Can a self-signed cert be used at a verify level of 2 or 3?
Self-signed certificates can't be checked against a certificate authority (and can't be revoked). For self-signed certificates to be handled sensibly, you need level three. BTW, level three is not 'higher' than level two, just 'different': Level two checks the certificate against a CA, while level three checks it for being locally installed. HTH, Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------