On Wed, 11 Jan 2006, Olivier twist wrote:
In past, I always used stunnel with option verify set at 2. Works fine.
But since few days I have a basic use of ssl connection and need only server certificate and I use classical browser like Netscape on client side.
If I don't set verify at 1, the cerfication chain is broken, I see it in Netscape. If I try to set verify at 1 then the certification chain is valid BUT before the connection the browser ask me for a client certificate !! I click cancel and it works but I don't want that the browser ask for a client certificate ! I don't have this problem with apache mod ssl but.... I don't want to use apache because I have only port redirection to do on non-http protocole and it seems that we can't do redirection on non-http protocole with proxy module for example.
Have you an idea?
Maybe. You say you only want to verify the server certificate, right? Then why ask for a client certificate? verify = 1 says 'verify peer certificate if present'. Hence, it will verify the *client certificate* if you have one. So it will ask you for one. Just don't do verify on your stunnel server and you should be OK.
I use stunnel 4.14.
Jan
In past, I always used stunnel with option verify set at 2. Works fine.
But since few days I have a basic use of ssl connection and need only
server certificate and I use classical browser like Netscape
on client side.
If I don't set verify at 1, the cerfication chain is broken, I see it in
Netscape. If I try to set verify at 1 then the
certification chain is valid BUT before the connection the browser ask
me for a client certificate !! I click cancel and it works
but I don't want that the browser ask for a client certificate ! I don't
have this problem with apache mod ssl but.... I don't want
to use apache because I have only port redirection to do on non-http
protocole and it seems that we can't do redirection on
non-http protocole with proxy module for example.
Have you an idea?
Maybe. You say you only want to verify the server certificate, right? Then why ask for a client certificate? verify = 1 says 'verify peer certificate if present'. Hence, it will verify the *client certificate* if you have one. So it will ask you for one. Just don't do verify on your stunnel server and you should be OK.
If you use a certificate signed by third party, the server checks the certification chain when user connects to server. That's the reason why you have to store intermediates certificates in the CA FILE. If verify is not set at 1, stunnel doesn't check the certification chain and on client side the certification chain appears broken.
Jan
-
Jan Meijer -
Olivier twist