On Thu, 01 Oct 2009 06:44:12 +0200 delaage.pierre@free.fr wrote:
Everything should work "securely" once you have usercert2 hash present in your CApath (and client cert file present of course somewhere on the server), and that there is really a chain from that cert to the related rootca (the chain should be present in the client cert file, so there is no need to declare chains in stunnel server conf file).
Hmmm. That would be the necessary setup with verify=3, right ? I agree that it would be more secure, but having to list every issued client cert there does not scale very well.
What would be really worrying would be if usercert2 was validated while being not present in CApath: but this is not the case, isn't it...
OK. I think I misunderstood the purpose of CApath: I was under the impression that only the signing CA (in our case, the intermediate one) was significant. Instead it seems that the root of the chain is actually checked.
So I guess there's no way to have stunnel discriminate users based upon an intermediary CA, then (except with verify=3) ?
Simon