On Thu, 2011-02-10 12:43:15 -0600, Dave wrote:
[..]
So, what exactly will be looked for in the CAfile when verify is set to 2?
Dave,
I use verify level three, so I didn't test yet. I expect the CAfile to be a file with one ore more certificates in PEM format concatenated together. 'openssl verify -CAfile <ca file> <peer certificate>' should give 'OK'.
If a connection with the peer is made, the two instances of stunnel (one at either end of the tunnel) present their certificates to each other. With verify level two, each instance checks the certificate received from the peer against the CA certificate in CAfile (or CApath, respectively) just as "openssl verify" does.
[..] and while most of these changes would actually allow stunnel to start, connecting with a client would fail and I'd get this in the logs:
SSL alert (read): warning: no certificate SSL alert (write): fatal: handshake failure SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
I'm not sure about the first two lines, but the third one says the peer did not present a valid certificate, i.e. it possibly presented a certificate which could not be successfully verified.
HTH,
Ludolf