Hello, Everything should work "securely" once you have usercert2 hash present in your CApath (and client cert file present of course somewhere on the server), and that there is really a chain from that cert to the related rootca (the chain should be present in the client cert file, so there is no need to declare chains in stunnel server conf file). If it is the case, we can say that your server has issued the client certificate, in a way or another, and client cert validation will work.
What would be really worrying would be if usercert2 was validated while being not present in CApath: but this is not the case, isn't it...
Pierre
Quoting Simon Vallet sjv@genoscope.cns.fr:
Hi,
we're trying to make use of stunnel here for proxy purposes : any certificate-authenticated SSL client connection from the Internet would be forwarded to some internal server.
This works fine, but I found some surprising behaviour when verifying client certificates. Consider the following setup, using an intermediate client CA :
- RootCA
** UserCA1 *** UserCert1
** UserCA2 *** UserCert2
To make this work, it seems I only have to include the Root CA certificate in either a CAfile or a directory of trusted certificates. I would have expected to have to include the intermediate CA (which is signing the user certificate), but it seems it is not the case.
What worries me is that now *any* end-entity certificate which has been issued by *other* intermediate CAs is accepted as valid, i.e. UserCert2 is accepted as valid, even if I don't include UserCA2 anywhere in the configuration.
Is this really the intended behaviour ? If not, what would I be missing ?
Simon
stunnel.conf -----------------------------------------------------------
connect = 127.0.0.1:25 CApath = /etc/stunnel/certs cert = /etc/stunnel/apollon.genoscope.cns.fr-RevChain.pem key = /etc/stunnel/apollon.genoscope.cns.fr-Key.pem verify = 2 debug = 7
[root@apollon certs]# ls -l /etc/stunnel/certs/ total 4 lrwxrwxrwx 1 root root 28 sep 30 11:01 9a5490ff.0 -> GenoscopeACRacine.cacert.pem -rw-r--r-- 1 root root 2269 sep 15 11:47 GenoscopeACRacine.cacert.pem [root@apollon certs]# _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users