Hi,
we're trying to make use of stunnel here for proxy purposes : any certificate-authenticated SSL client connection from the Internet would be forwarded to some internal server.
This works fine, but I found some surprising behaviour when verifying client certificates. Consider the following setup, using an intermediate client CA :
* RootCA ** UserCA1 *** UserCert1
** UserCA2 *** UserCert2
To make this work, it seems I only have to include the Root CA certificate in either a CAfile or a directory of trusted certificates. I would have expected to have to include the intermediate CA (which is signing the user certificate), but it seems it is not the case.
What worries me is that now *any* end-entity certificate which has been issued by *other* intermediate CAs is accepted as valid, i.e. UserCert2 is accepted as valid, even if I don't include UserCA2 anywhere in the configuration.
Is this really the intended behaviour ? If not, what would I be missing ?
Simon
stunnel.conf -----------------------------------------------------------
connect = 127.0.0.1:25 CApath = /etc/stunnel/certs cert = /etc/stunnel/apollon.genoscope.cns.fr-RevChain.pem key = /etc/stunnel/apollon.genoscope.cns.fr-Key.pem verify = 2 debug = 7
------------------------------------------------------------------------
[root@apollon certs]# ls -l /etc/stunnel/certs/ total 4 lrwxrwxrwx 1 root root 28 sep 30 11:01 9a5490ff.0 -> GenoscopeACRacine.cacert.pem -rw-r--r-- 1 root root 2269 sep 15 11:47 GenoscopeACRacine.cacert.pem [root@apollon certs]#