Hello,
for our current use-case we needed to add functionality to stunnel and therefore have made few patches. We distribute these patches with our software and were wondering what do you think about including them directly in stunnel.
Firstly, we need peer certificate fingerprints in MD5, SHA1, SHA224, SHA256, SHA384 and SHA512. Patched stunnel exports all these in separate variables "SSL_CLIENT_*".
Secondly, we could need subjectAltName values. Patched stunnel exports these in "SSL_CLIENT_SAN", but only rfc822Name, iPAddress and dNSName as we need only these. It could easily be expanded to all the values.
Lastly, we required verification as if we first used verify = 2 and after failing trying verify = 4 (verify = 3 is technically verify = 2 AND verify = 4, if I am not wrong, and we need verify = 2 OR verify = 4). For this purpose my patch adds new verify = 5 option.
I want to say that we did not just make all these requirements up, but we want to conform to RFCs describing NETCONF over TLS and its configuration. All the patches are included so you can go through them. Thank you.
Kind regards, Michal Vasko