On 10/26/2011 05:56 PM, al_9x@yahoo.com wrote:
On 10/26/2011 3:43 AM, Jochen Bern wrote:
So I'd guess that the algorithm you're at odds with is part of OpenSSL, rather than something stunnel can change.
Trusting a specific server cert is a viable validation strategy, I doubt openssl makes that impossible.
Unlike with stunnel, I'm able to forgo belief and put OpenSSL to the test pretty much wherever my laptop happens to be running:
$ openssl s_client -showcerts -connect imaps:imaps > Server.crt 2>&1 1 LOGOUT
$ grep -n CERT Server.crt 15:-----BEGIN CERTIFICATE----- 35:-----END CERTIFICATE-----
$ openssl s_client -verify 5 -CAfile Server.crt \
-connect imaps:imaps 2>&1 | grep Verify
Verify return code: 21 (unable to verify the first certificate) 1 LOGOUT
$ openssl s_client -verify 5 -CAfile /etc/openvpn/*-ca-cert.pem \
-connect imaps:imaps 2>&1 | grep Verify
Verify return code: 0 (ok) 1 LOGOUT
Regards, J. Bern