On Wed, 11 Jan 2006, Olivier twist wrote:
In past, I always used stunnel with option verify set at 2. Works fine.
But since few days I have a basic use of ssl connection and need only server certificate and I use classical browser like Netscape on client side.
If I don't set verify at 1, the cerfication chain is broken, I see it in Netscape. If I try to set verify at 1 then the certification chain is valid BUT before the connection the browser ask me for a client certificate !! I click cancel and it works but I don't want that the browser ask for a client certificate ! I don't have this problem with apache mod ssl but.... I don't want to use apache because I have only port redirection to do on non-http protocole and it seems that we can't do redirection on non-http protocole with proxy module for example.
Have you an idea?
Maybe. You say you only want to verify the server certificate, right? Then why ask for a client certificate? verify = 1 says 'verify peer certificate if present'. Hence, it will verify the *client certificate* if you have one. So it will ask you for one. Just don't do verify on your stunnel server and you should be OK.
I use stunnel 4.14.
Jan