On 10/26/2011 05:56 PM, al_9x@yahoo.com wrote:
On 10/26/2011 3:43 AM, Jochen Bern wrote:
So I'd guess that the algorithm you're at odds with is part of OpenSSL, rather than something stunnel can change. Trusting a specific server cert is a viable validation strategy, I doubt openssl makes that impossible.
Unlike with stunnel, I'm able to forgo belief and put OpenSSL to the test pretty much wherever my laptop happens to be running: $ openssl s_client -showcerts -connect imaps:imaps > Server.crt 2>&1 1 LOGOUT $ grep -n CERT Server.crt 15:-----BEGIN CERTIFICATE----- 35:-----END CERTIFICATE----- $ openssl s_client -verify 5 -CAfile Server.crt \
-connect imaps:imaps 2>&1 | grep Verify Verify return code: 21 (unable to verify the first certificate) 1 LOGOUT
$ openssl s_client -verify 5 -CAfile /etc/openvpn/*-ca-cert.pem \
-connect imaps:imaps 2>&1 | grep Verify Verify return code: 0 (ok) 1 LOGOUT
Regards, J. Bern -- Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/> Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel