Hi,
I believe this has been discussed before on the list but I wanted to get a better understanding and confirm the current situation.

Is it still correct that when using verify=2, the peer's hostname is not checked (via a name service lookup) to match the Common Name in the presented certificate? With the main reason being that you cannot necessarily trust the name service?

I am asking because we have a closed network in which we do trust our dns servers, and Common Name checking would be advantageous to us given the following scenario:

We have is that a single (central) host that connects to multiple 'client' hosts via stunnel. The central host presents a certificate signed by our own CA. Each client has a copy of our CA's certificate and has verify=2. So when the central server connects, the client checks that the certificate presented has really been signed by our own CA. So using this mechanism, only servers (i.e. the central server) with a signed certificate are allowed to connect.

All good so far, however the problem is if the signed certificate is copied (stolen) to another server. This 'other' server can connect to all the clients also. With Common Name checking, the clients could as well as checking the signature, check the presenting host has the same hostname as in the certificate.

Is there anyway we can use stunnel to help us guard against this 'stolen cert' situation or if not what else could we do?

Thanks,
Mark