Hi David,
On 8/26/22 13:51, david.rundqvist@gmail.com wrote:
If I hash the client certificates and put them in a folder (with file names <hash>.0), and use the CAPath parameter on the server, together with verify=3, the server's Certificate Request message contains an empty list of "Distinguished Names". However, if I put the client certificates concatenated in a .pem file, and use the CAFile parameter on the server, the Certificate Request message does contain the Distinguished Names.
Is this the correct behavior? I thought CAFile and CAPath worked more or less in the same way, but perhaps the Certificate Request message is implemented differently, depending on if you use CAFile or CAPath? My preferred way is to use CAPath: Is there some way I can get the Distinguished Names not to be empty, when using CAPath?
TL;DR: Yes, this is the correct behavior. Also, you probably misuse X.509 by adding and removing individual client certificates instead of using its hierarchical trust model: https://en.wikipedia.org/wiki/X.509
The main difference between CAfile and CApath is that CAfile reads all the certificates with the stunnel's configuration file, while CApath only reads a certificate during certification path validation. https://en.wikipedia.org/wiki/Certification_path_validation_algorithm
Using CApath saves startup time and memory usage with large number of trusted certificates, but it does not allow for building a list of trusted Distinguished Names. Consequently, there is no way for stunnel to use CApath with automatic client certificate selection. https://textslashplain.com/2020/05/04/client-certificate-authentication/
The proper way to configure automatic client certificate selection is to provide the CA certificate used for signing your client certificates with CAfile and the list of revoked certificates with CRLfile.
Best regards, Mike