Hello,
Have you tried using only the public part of the CA chain in the “cert=” parameter, client-side ?
Your second option would look like this:
[Server]
cert=wholeCert.pem
verifyPeer=yes
[Client]
verifyPeer=yes
cert=publicCert.pem
CAFile=publicCert.pem
Additionally, if you use the whole chain (Root + Intermediate + … + Leaf certs), you can specifiy a CAFile parameter server-side, and enable the verifyChain parameter on both sides.
Best regards,
Florian Stosse
Information security engineer
Safran Electronics & Defense | Safran Data Systems | Space & Communication
Phone: +33 1 69 82 79 43 • Mobile : +33 6 48 11 16 12
Safran Data Systems
5, avenue des Andes - CS 90101
91978 Courtaboeuf Cedex, France
www.safran-electronics-defense.com
De : Giulio Regazzo [mailto:capireg@gmail.com]
Envoyé : lundi 16 novembre 2020 09:29
À : stunnel-users@stunnel.org
Objet : [stunnel-users] PSK Configuration
Hi, I'm new to stunnel. And I'm trying to configure a server that accepts TCP sockets connections only from clients that have a pre-shared certificate.
Looking at the online documentation I found the verifyPeer option, but it is described to be used on client side. Trying to use it on server side I achieved my goal but only if the client has the whole certificate (private + public).
My question is: Can I obtain in some way the same result sharing only the public part of the certificate?
Currently I'm using a configuration like this one (skipping the accept and connect options):
[Server]
cert=wholeCert.pem
verifyPeer=yes
[Client]
cert=wholeCert.pem
verifyPeer=yes
CAFile=wholeCert.pem
and I'm looking for something like:
[Server]
cert=wholeCert.pem
verifyPeer=yes
[Client]
verifyPeer=yes
CAFile=publicCert.pem
If I try this second option the server refuses the connection in handshake phase saying that the client didn't provide any certificate.
Is there a way to achieve this?
Thank you.