Hi,
I've attached a patch against stunnel 4.10. It adds two verification options to the global configuration:
=== remote_subj = expected subject for the remote certificate
If set, the remote certificate's subject must match this string. You can obtain the subject in the proper format by running
openssl x509 -in servercert.pem -noout -subject
Example:
remote_subj = /C=CA/ST=Ontario/CN=gw
Requires verify=2 or greater.
verify_depth = maximum number of CA certificates in chain
Specifies the maximum certificate chain depth when verifying the peer certificate:
0: peer certificate must be self-signed 1: peer certificate must be signed by a root CA 2: peer certificate can be signed by at most one intermediate CA
The stunnel default depth is 9 for backwards compatibility. Please note that Apache/SSL defaults to 1. If your non-CA certificates are marked with the X509v3 basic constraint "CA:FALSE", you probably do not need to worry about chain depth. This is the default behaviour for most CA tools, including the scripts that ship with OpenSSL. ===
remote_subj probably belongs in per-service config, not global, but the SSL verification setup is global and I didn't want to start messing with it.
Mike