Hey stunnel-users, I'm having an issue both on stunnel4 and on 5 which I think is more related to a lack of understanding of the difference between how stunnel uses intermediate chain certs and root CA certs. I have from Geotrust, who signs my SSL certs, an intermediate.crt which by the stunnel docs should be catted into one stunnel.pem with the cert for my domain and the private key.

The issue is when I setup everything on the server and try to connect with a client I either get for "verify 2" warnings about MiTM authentication problems, or for "verify 3" or "verify 4", which should disable CA checking altogether to my understanding, "Please specify CApath".

I feel like I'm missing something critical in terms of pieces. The goal is to use stunnel as a proxy for mysql and the conf is pretty barebones:

sslVersion = TLSv1

setuid = stunnel4 setgid = stunnel4 pid = /var/lib/stunnel4/stunnel4.pid debug = 7 foreground = yes

socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1

cert = /etc/stunnel/stunnel.pem verify = 3

[mysqls] accept = 3307 connect = localhost:3306

It runs just fine using supervisor.

Any thoughts and how I could make the handshake work between server and client using geotrust's intermediate crt as the CA cert, or something similar? It contains certs down to the root level.

Thanks! Jon