On Wed, 2011-04-27 10:47:42 +0200, laurent.uk@bnpparibas.com wrote:

Hi all,

I need some informations about stunnel.

First, when the client's software use a certificate signed by a CA like veriSign. Did we need to add the certificates of this CA? or it is not neccessary because it is a knowned CA.

If you are using verify=3, stunnel checks client certificates against the set of certificates in CApath or CAfile, not against CAs and CRLs.

In order to have stunnel check the certificate chain of client certificates, you'll have to use verify=2. For that, stunnel needs access to the CA's root certificate and the intermediate certificates (i.e. they have to be locally installed to CApath/CAfile).

Secondally, i need to download and update the crl files, and also (if it's possible) the certificates of knowed CA. How can i do that in my AIX's machine please?

This depends on the way the CA publishes its certificates and CRLs. For VeriSign, my first idea is to use wget to download them from http://crl.verisign.com. There may be better ways, though. And I don't know AIX.

Ludolf