Hello to all,
We get 2048 bits wildcard certificate for our domain *.domain.com .. And we are using thawte as Certificate Authority . So they send as two certificates ..
One for SSL web and one intermediate certificate ..
The stunnel configuration is :
[https1]
cert = /etc/stunnel/domain.crt
CAfile = /etc/stunnel/domain.intermediate.crt
key = /etc/stunnel/domain.key.nopass
verify = 0
accept = x.x.x.x:443
connect = x.x.x.x:81
xforwardedfor=yes
even I use verify = 0 some of our clients still complains that on some pages ( like blabla.domain.com ) server wants some of their private certificate to be send to the server !!
and it's happens only with Internet Explorer 8.0 without verify and CAfile commands IE 8.0 works fine but Mozilla Firefox claim that can find CA be trusted !
wildcard certificate cannot be reissued with 1024 bits key . So is there some mistake in my configuration ?
If not what can I do about it ?
Thanks in advance ..
P.S.: version of stunnel is 4.20 with XForwardedFor patch ..
On Mon, 2010-08-23 14:48:12 +0300, Georgi Georgiev wrote:
Hello to all,
We get 2048 bits wildcard certificate for our domain *.domain.com .. And we are using thawte as Certificate Authority . So they send as two certificates ..
One for SSL web and one intermediate certificate ..
The stunnel configuration is :
[https1]
cert = /etc/stunnel/domain.crt
CAfile = /etc/stunnel/domain.intermediate.crt
Georgi,
I think here is the misunderstanding: The 'cert' file is expected to contain the whole certificate chain, i.e. all three certificates, CA, intermediate and domain (see the man page).
The 'CAfile' is for additional certificates needed to verify the client's certificates (if presented or verification is required).
HTH,
Ludolf
-
Georgi Georgiev -
Ludolf Holzheid