Tim Skirvin tskirvin@stanford.edu writes:
I've got a comodo signed SSL certificate that I'm trying to usewith stunnel4 to allow secure NNTP connections from a wide variety of clients. The certificate at least partially works; if I leave 'verify' off in the stunnel.conf file, then the service runs and users can connect, albeit while still having to verify the cert. But if I turn 'verify' on, then it doesn't work on *either* side.
Well, I've gotten this to work, after dealing with a large number of red herrings and nastiness. In short:
1. Turn off all 'verify' options; that's trying to solve a problem I'm not working with. (Also, turn down the 'debug' to something reasonable and turn off 'foreground'.)
2. Put all three certificates in news-stunnel.pem, separated by a single blank line.
3. Point CAfile at an existent file, or take it out altogether.
That's it. Once that's done, everything works.
I should note that throughout the help documents and man pages, I was told that the CAfile directive was an important part of keeping track of the certificates, and told to use it to store copies of the upstream certs. This was apparently not relevant. Perhaps the documentation could be updated to note this?
- Tim Skirvin (tskirvin@stanford.edu)