Anyone have any thoughts here? We're going through the process of splitting up all of our SubCAs out into their own dedicated RootCAs, but that doesn't seem like a great option. It would be much better if we could simply specify the verification depth for Stunnel. Thoughts on how hard this might be to add?

Matt Wise

Sr. Systems Architect

Nextdoor.com

On Fri, Apr 11, 2014 at 9:21 AM, Matt Wise <matt@nextdoor.com> wrote:

It was my understanding that when you have an Stunnel Server configured with 'verify=2', that the client that connects must have a certificate signed by the same CA/SubCA combination that the server does. So for example:

- My_Root_Ca (private CA)
- Some_Random_Cert.pem
- Stunnel_Sub_Ca:
- Server.pem
- Client.pem
- Postgres_Sub_Ca:
- Server.pem

- postgres_user.pem

With the above structure in place (and the stunnel server using Stunnel_Sub_Ca/Server.pem) if someone tried to connect in with the Stunnel_Sub_Ca/Client.pem cert, it would work... but if they tried to connect in with Postgres_Sub_Ca/Server.pem, it wouldn't.

Unfortunately we're not seeing that behavior... we're seeing a behavior where *every* cert signed by the overall Root CA is validated. We're able to connect in using Some_Random_Cert.pem, Postgres_Sub_Ca/Server.pem and Postgres_Sub_Ca/postgres_user.pem.

This feels wrong ... what am I missing?

(We're using Stunnel 4.55 btw)

Matt Wise
Sr. Systems Architect
Nextdoor.com