[stunnel-users] using no certificate

Jan Meijer jan.meijer at surfnet.nl
Mon Feb 14 10:09:00 CET 2005


On Mon, 14 Feb 2005, Zohar wrote:

> I am only interested in the data being encrypted. I tried setting this 
> up, but the client complains that my server certificate cannot be 
> authenticated (I produced it using http://www.stunnel.org/pem/). Any 
> pointers on how to set such a thing up (even for the time being, while I 
> develop), without having to pay lots of money to a CA ?

This is the infamous 'browser-popup' problem: the 'CA' that signed your 
servers' certificate (in your case most likely a self-signed certificate 
but that's the same problem) is not recognized by your clients.

As in: the client receives the server certificate, tries to verify it 
against its repository of 'trusted CAs' and sees it can't do that.  And 
then generates the warning.

There are two ways to get rid of the message:
-get a server-certificate from a CA that is trusted by the clients; if you 
only care about the encryption and just want to get rid of the popup get 
a server-cert at http://www.freessl.com/, it will be ~40 euros.
-install the CA certificate that issued your server-cert (or your 
server-cert itself) in all connecting clients

In your situation the first option might be cheapest.

  Jan

-- 
http://www.surfnet.nl/organisatie/jame



More information about the stunnel-users mailing list