Sebastian Bork wrote:
The normal setup is "verify = 3" and the complete certificate chain for each partner is put into the CA path. In most cases, this works without problems. However, in the handshake, after the server certificate is sent and stunnel asks the client to send a client certificate, stunnel sends an empty list of triusted CAs.
You should have implemented it the other way around: The "cert" option should contain the complete certificate chain of stunnel, and "CApath"/"CAfile" should only contain the trusted CA certificate for "verify = 2", and the trusted peer certificate for "verify = 3".
Basically "cert" option selects certificates to send, and "CApath"/"CAfile" options selects certificates to authenticate the other machine.
Mike