Dear Anonymous,
(where is the traditional Polish politeness...)
On Saturday 14 of May 2005 22:50, spambox@poczta.onet.pl wrote:
client = yes verify = 2 CAfile = ThawteServerCA.txt [asd] accept = 127.0.0.1:60465 connect = smtp.gmail.com:465
I don't think it's a good idea. You probably don't really *trust* all companies that have a certificate signed by Thawte.
It's much better to have verify=3 and the exact certificate used by the server as the CAfile parameter.
I don't know how to enforce stunnel to verify CN field from server provided certificate.
What you need is cryptographic authentication. CN verification is vulnerable to DNS poisoning.
So, am I wrong that when someone hijack (mitm) this connection and provide any server cert signed by ThawteServerCA then I loose? Please add this verification to stunnel when verify is set to 2 or better as an separate option "verify_cn?" which could be used in service-level context.
No. I'm not going to give users a false sense of security.
Usting this option with that described below I can drop 'verify' and 'CAfile' at all and feel much better. :)
No. You should download the peer certificate and verify it with verify=3.
Best regards, Mike