Hello,
I've already sent a message for my problem but no answer.
I have a server certificate signed by GlobalSign. I don't want to use client certificate. But if I don't put the certification chain on the CAFILE of stunnel and don't set verify at 1, stunnel doesn't check the server certification chain and the server certificate appears broken on client side !!! I've post this problem on the stunnel mailing list but you tell me that if I don't use client certificate I don't have to set verify at 1. But it doesn't work, and why GlobalSign and others explain how to install server certificatation chain on servers like apache mod ssl?(see http://support.globalsign.net/en/serversign/apachemodssl.cfm) when I read this help file I suppose that the ssl protocol on server side makes a check of server certificate, and that's the reason why the certificate chain appears broken or not on client side.
My current ugly solution is to set verify at 1, in this case, on client side, the certificate appears good and not broken but... a dialog box appears and ask for client certificate and some plugin like flash doesn't support that.
i use stunnel 4.14 stunnel.conf:
cert = c:\certif\inTest.crt key = c:\certif\inTest.key
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
verify = 1 CAfile = c:\certif\ca.pem
;client = yes
[https] accept = 443 connect = 127.0.0.1:901 TIMEOUTclose = 0
[rtmps] accept = 80 connect = 127.0.0.1:900 TIMEOUTclose = 0
Could anybody gives me a support?
Thx
Oliver
On Thu, 9 Feb 2006, Olivier twist wrote:
I've already sent a message for my problem but no answer.
Try to be a little more patient. The people who give support on this list are generally busy people who are kind enough to provide support on stunnel to the broader community on a volunteer basis, free of charge. But they do have regular jobs.
I have a server certificate signed by GlobalSign. I don't want to use client certificate. But if I don't put the certification chain on the CAFILE of stunnel and don't set verify at 1, stunnel doesn't check the server certification chain and the server certificate appears broken on client side !!! I've post this problem on the stunnel mailing list but you tell me that if I don't use client certificate I don't have to set verify at 1. But it doesn't work, and why GlobalSign and others explain how to install server certificatation chain on servers like apache mod ssl?(see http://support.globalsign.net/en/serversign/apachemodssl.cfm) when I read this help file I suppose that the ssl protocol on server side makes a check of server certificate, and that's the reason why the certificate chain appears broken or not on client side.
From your description I gather that you have stunnel at both the client
and server side? If so, try to set verify=1 at the *client side* to verify the server certificate chain and do not do verify at the server side. If I remember correctly you should put the CA chain in the 'server.pem' file together with your server certificate.
Jan
Jan Meijer wrote:
Try to be a little more patient. The people who give support on this list are generally busy people who are kind enough to provide support on stunnel to the broader community on a volunteer basis, free of charge. But they do have regular jobs.
A commercial support is also available: http://stunnel.mirt.net/support.html
Best regards, Mike
From your description I gather that you have stunnel at both the client and server side?
No, just stunnel on server side, on client side it's InternetExplorer, but now I can use Firefox with flash plugin because my problem is solved.
If I remember correctly you should put the CA chain in the 'server.pem' file together with your server certificate.
You remember right ! But you remember that from where?? I put certification chain with certificate in server certificate file and it works now!!
Thx for all Jan,
Oliver
-
Jan Meijer -
Michal Trojnara -
Olivier twist