Hello,
I'm using stunnel in client mode to provide an SSL connection for offlineimap[1] which does not support verification of SSL certificates.
As I've read stunnel does not compare the name of the server offering the certificate to the server name mentioned in the certificate (in the CN field for example). So if I used the following section in my stunnel.conf
client=yes
[imaps] accept = 127.0.0.1:4322 connect = imap.gmail.com:993 CAfile = /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt verify = 2
stunnel would happily accept any certificate signed by Equifax for an arbitrary website. Is this correct?
So I've switched to using the verify=3 option and I just want to make sure I configured it correctly.
I'm now using the following section
client=yes
[imaps] accept = 127.0.0.1:4322 connect = imap.gmail.com:993 CAfile= /home/ph/.certs/imaps.pem verify = 3
imaps.pem is a file containing two certificates, namely the first and the last certificate in the certificate chain of imap.gmail.com, that is the Equifax CA certificate and the server certificate itself.
I then use offlineimap to establish an unencrypted connection to 127.0.0.1:4322.
My understanding is that stunnel will now exclusively accept the server certificate stored in the imaps.pem file rendering all MITM attacks impossible.
I'd be grateful if someone could confirm that this setup makes sense. Is this the way the verify=3 option is supposed to use? First I thought that it should be enough to just provide the server certificate in the imaps.pem file, but then openssl would complain about a self-signed certificate, so I included the CA certificate as well.
Regards, Philipp