On Thu, 9 Feb 2006, Olivier twist wrote:
I've already sent a message for my problem but no answer.
Try to be a little more patient. The people who give support on this list are generally busy people who are kind enough to provide support on stunnel to the broader community on a volunteer basis, free of charge. But they do have regular jobs.
I have a server certificate signed by GlobalSign. I don't want to use client certificate. But if I don't put the certification chain on the CAFILE of stunnel and don't set verify at 1, stunnel doesn't check the server certification chain and the server certificate appears broken on client side !!! I've post this problem on the stunnel mailing list but you tell me that if I don't use client certificate I don't have to set verify at 1. But it doesn't work, and why GlobalSign and others explain how to install server certificatation chain on servers like apache mod ssl?(see http://support.globalsign.net/en/serversign/apachemodssl.cfm) when I read this help file I suppose that the ssl protocol on server side makes a check of server certificate, and that's the reason why the certificate chain appears broken or not on client side.
From your description I gather that you have stunnel at both the client
and server side? If so, try to set verify=1 at the *client side* to verify the server certificate chain and do not do verify at the server side. If I remember correctly you should put the CA chain in the 'server.pem' file together with your server certificate.
Jan