[stunnel-users] Stunnel and configuration
Bohdan Linda
b.linda at volny.cz
Tue Feb 22 16:19:09 CET 2005
Hi all,
I have configured stunnel to do the client authetication, but I have
some question.
I have used following config:
cert = /etc/certificates/server.pem - file with signed
server cert and key
(passwordless)
chroot = /var/run/stunnel/
CAfile = /etc/certificates/certs -file where first item is my
CA certificate followed by list of
all client certificates sgined by my CA.
setuid = nobody
setgid = nogroup
pid = /stunnel.pid
verify = 3
This setup is working, but this seems to me very "unlogical".
If I create for me "more logic" setup:
cert = /etc/certificates/server.pem
chroot = /var/run/stunnel/
CAfile = /etc/certificates/CA/cacert.pem - only certificate of my CA
CRLfile = /etc/certificates/crls - only certificates signed by my CA
I get the following error:
2005.02.22 15:15:10 LOG5[22418:81926]: VERIFY OK: depth=1, /C= .....
2005.02.22 15:15:10 LOG4[22418:81926]: VERIFY ERROR ONLY MY: no cert for /C=
The question is ... why? Why CAfile has to contain all client
certificates, when clients certs are not CA? Why I cannot have separate
file for CA and separate file for certificates that I want accept? If I
do the similar setup in mod_ssl, the configuration works as expected.
Anyway, I'am newbie to deploy stunnel, thus I would like to ask you for
giving me you opinion of this configuration, caveats and possible
enhancements.
Thanks for any comments,
Bohdan Linda
More information about the stunnel-users
mailing list