On Sun, 04 Oct 2009 07:23:15 +0200 delaage.pierre@free.fr wrote:
You are right that my suggestions only work with verify = 3. But with verify=2, you should try this : CApath empty CAfile containing a concatenation of the ONLY intermediate CA certs you really want.
OK, here are the results:
- CAfile containing only the intermediate CA cert I want to trust:
LOG4[32456:3086175120]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: [...] LOG7[32456:3086175120]: SSL alert (write): fatal: unknown CA
which seems reasonable.
- CAfile containing the intermediate CA I want to trust and the Root CA:
LOG6[32464:3086822288]: SSL accepted: new session negotiated
this works, and trying to authenticate with a certificate issued by another sub CA does not work (good news ;-)
Actually, it also works when using CApath -- the issue I encountered apparently only occurs if you add, then remove a CA certificate from the CApath: if I added a subCA certificate and the corresponding link to the path, test the connection, and then removed them, I could still authenticate, which I found weird, since the setup is in inetd-mode (so stunnel would be started from scratch at each connection).
I can't reliably reproduce the issue today -- maybe some kind of race-condition ?
Anyway, I can separate users based on their issuing CA now, so I guess everything is fine.
Thanks, Simon