2010/3/31 Michal Trojnara Michal.Trojnara@mirt.net
You should have implemented it the other way around:
The "cert" option should contain the complete certificate chain of stunnel,
and
"CApath"/"CAfile" should only contain the trusted CA certificate for "verify
=
2", and the trusted peer certificate for "verify = 3".
Hi,
thank you for your quick reply! Alas, I think we started with a misunderstanding. I know how the own certificate and the partner certificates are configured, and the instance with verify=3 works for some thirty partners. All client certificates are validated just as they should be. The file I set in "cert" contains the three certificates in the server certificate chain for stunnel, in the correct order. "CApath" is set to a directory that has all the symlinks with md5 hashes for the client certificates (the certificates themselves are all in their own subdirectories, with another set of symlinks, so I can use the subdirectory for an stunnel client process, and the directory at the top for the server).
So when I wrote I put the whole certificate chain for each partner in the CA path, I meant in the directory there is the partner certificate as well as the certificate(s) of the CA that they got their certificate from. With "openssl verify -CApath . partner.crt" I check if everything is complete. Maybe this is overkill, if I do not really need a self-signed certificate at the top, but it shouldn't hurt either.
The problem is this: their SAP software (I think they use the Business Connector, but it might be their PI directly, as indicated by the "XI" at the end of the capture file - I am no SAP guru) does not send a partner certificate. The partner claims this is because the "Distinguished Names" list is empty. In this list the server is supposed to send all the CAs it accepts, so the client can then chose one of the certificates it has installed to present it to the server. Since the list is empty, no certificate is found.
So I need to find a way to send back a list of accepted root CA certificates. What I tried, and described in the mail, was this: I set up a second stunnel with verify=2. For this, I use the same file in "cert", but a new directory for CApath. In this directory, I have put the symlink for the CA certificate of the partner (their own company-wide CA) , in the hope that this is not only used to verify their client certificate when they present it, but also sent in the Distinguished Names list of accepted CAs. Unfortunately, this did not work, that list is still empty.
I have attached the data of the connection attempt, including a screenshot the partner sent us, which shows the field they are talking about with a size of "0",
Is there any way, regardless of how complex, to send the DNs? I'll gladly patch the source and compile instead of using a binary package, as long as it helps.