Hi all,
I have configured stunnel to do the client authetication, but I have some question.
I have used following config:
cert = /etc/certificates/server.pem - file with signed server cert and key (passwordless)
chroot = /var/run/stunnel/
CAfile = /etc/certificates/certs -file where first item is my CA certificate followed by list of all client certificates sgined by my CA.
setuid = nobody setgid = nogroup pid = /stunnel.pid verify = 3
This setup is working, but this seems to me very "unlogical". If I create for me "more logic" setup:
cert = /etc/certificates/server.pem chroot = /var/run/stunnel/ CAfile = /etc/certificates/CA/cacert.pem - only certificate of my CA CRLfile = /etc/certificates/crls - only certificates signed by my CA
I get the following error: 2005.02.22 15:15:10 LOG5[22418:81926]: VERIFY OK: depth=1, /C= ..... 2005.02.22 15:15:10 LOG4[22418:81926]: VERIFY ERROR ONLY MY: no cert for /C=
The question is ... why? Why CAfile has to contain all client certificates, when clients certs are not CA? Why I cannot have separate file for CA and separate file for certificates that I want accept? If I do the similar setup in mod_ssl, the configuration works as expected.
Anyway, I'am newbie to deploy stunnel, thus I would like to ask you for giving me you opinion of this configuration, caveats and possible enhancements.
Thanks for any comments, Bohdan Linda