Hi,
currently stunnel uses the X509_STORE_get_by_subject () API call to OpenSSL to retrieve the x509 client certificate in the cert_check () method (located in verify.c) to gather the client certificate from the whitelist by the common name (CN) the client presented during the TLS handshake. It then proceeds to compare both certificates bit by bit. This all works rather fine until the very moment you have more than one client certificate with the same CN. The OpenSSL API call will then return any of the certificates with the provided CN (according to internal logic). Other implementations using OpenSSL were aware of this issue and introduced logic to further iterate over the remaining certificates, retrieving any further with the same CN. See for example function X509_STORE_CTX_get1_issuer () and its comment: http://www.opensource.apple.com/source/OpenSSL/OpenSSL-12/openssl/crypto/x50...
I patched stunnel 4.53 and adapted the patch to upstream version 5.00 to behave in similar fashion and can report that with these changes stunnel then also supports multiple client certificates sharing the same CN. Feel free to adapt indention as my patches aim for minimal changed lines.
Best regards, Leon Winter
-
Leon Winter