[stunnel-users] Stunnel and configuration

Bohdan Linda b.linda at volny.cz
Tue Feb 22 16:19:09 CET 2005


Hi all,

I have configured stunnel to do the client authetication, but I have 
some question.

I have used following config:

cert = /etc/certificates/server.pem                 - file with signed 
server cert and key                                                     
                                                (passwordless)

chroot = /var/run/stunnel/

CAfile = /etc/certificates/certs            -file where first item is my 
CA certificate followed by list of                                     
                            all client certificates sgined  by my CA.

setuid = nobody
setgid = nogroup
pid = /stunnel.pid
verify = 3 

This setup is working, but this seems to me very "unlogical".
If I create for me "more logic" setup:

cert = /etc/certificates/server.pem
chroot = /var/run/stunnel/
CAfile = /etc/certificates/CA/cacert.pem   - only certificate of my CA
CRLfile = /etc/certificates/crls      - only certificates signed by my CA

I get the following error:
2005.02.22 15:15:10 LOG5[22418:81926]: VERIFY OK: depth=1, /C= .....
2005.02.22 15:15:10 LOG4[22418:81926]: VERIFY ERROR ONLY MY: no cert for /C=


The question is ...  why? Why CAfile has to contain all client 
certificates, when clients certs are not CA? Why I cannot have separate 
file for CA and separate file for certificates that I want accept? If I 
do the similar setup in mod_ssl, the configuration works as expected.

Anyway, I'am newbie to deploy stunnel, thus I would like to ask you for 
giving me you opinion of this configuration, caveats and possible 
enhancements.

Thanks for any comments,
Bohdan Linda



More information about the stunnel-users mailing list