10 Feb
2011
10 Feb
'11
8:37 a.m.
On Wed, 2011-02-09 18:13:30 -0600, Dave wrote:
[..]
- What are the necessary settings for "authentication stuff" to prevent
the MITM attack vector mentioned in stunnel.conf?
As far as I understood the whole thing, you need level two or three to force the peer to use a certificate at all.
- What is the proper way to set up (self-signed) certs to prevent such
an attack? Can a self-signed cert be used at a verify level of 2 or 3?
Self-signed certificates can't be checked against a certificate authority (and can't be revoked). For self-signed certificates to be handled sensibly, you need level three.
BTW, level three is not 'higher' than level two, just 'different': Level two checks the certificate against a CA, while level three checks it for being locally installed.
HTH,
Ludolf
--
---------------------------------------------------------------
Ludolf Holzheid Tel: +49 621 339960
Bihl+Wiedemann GmbH Fax: +49 621 3392239
Floßwörthstraße 41 e-mail: lholzheid@bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------