Hello,
I've already sent a message for my problem but no answer.
I have a server certificate signed by GlobalSign. I don't want to use client certificate. But if I don't put the certification chain on the CAFILE of stunnel and don't set verify at 1, stunnel doesn't check the server certification chain and the server certificate appears broken on client side !!! I've post this problem on the stunnel mailing list but you tell me that if I don't use client certificate I don't have to set verify at 1. But it doesn't work, and why GlobalSign and others explain how to install server certificatation chain on servers like apache mod ssl?(see http://support.globalsign.net/en/serversign/apachemodssl.cfm) when I read this help file I suppose that the ssl protocol on server side makes a check of server certificate, and that's the reason why the certificate chain appears broken or not on client side.
My current ugly solution is to set verify at 1, in this case, on client side, the certificate appears good and not broken but... a dialog box appears and ask for client certificate and some plugin like flash doesn't support that.
i use stunnel 4.14 stunnel.conf:
cert = c:\certif\inTest.crt key = c:\certif\inTest.key
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
verify = 1 CAfile = c:\certif\ca.pem
;client = yes
[https] accept = 443 connect = 127.0.0.1:901 TIMEOUTclose = 0
[rtmps] accept = 80 connect = 127.0.0.1:900 TIMEOUTclose = 0
Could anybody gives me a support?
Thx
Oliver