[stunnel-users] CN field of server cert
spambox at poczta.onet.pl
spambox at poczta.onet.pl
Sat May 14 22:50:20 CEST 2005
Hi stunnel-users,
There is example configuration:
<!--
client = yes
foreground = yes
ciphers = DES-CBC3-SHA
verify = 2
CAfile = ThawteServerCA.txt
[asd]
accept = 127.0.0.1:60465
connect = smtp.gmail.com:465
#connect = 64.233.185.109:465
-->
I don't know how to enforce stunnel to verify CN field from server provided certificate.
Even if i change "connect" field to next one stunnel will not complain.
So, am I wrong that when someone hijack (mitm) this connection and provide any server cert signed by ThawteServerCA then I loose?
Please add this verification to stunnel when verify is set to 2 or better as an separate option "verify_cn?" which could be used in service-level context.
Usting this option with that described below I can drop 'verify' and 'CAfile' at all and feel much better. :)
There is another verification method that could be added - not related to verify option. In most cases I know public cert of remote server. So I also know sha1/md5 fingerprint of that cert.
Security could improve v.much by just adding these lines to my example configuration:
fingerprint_md5=F5:BD:C3:C8:D5:4B:03:EA:57:BB:81:72:46:6B:26:54
fingerprint_sha1=CE:3A:0D:3E:DA:4B:77:A3:53:C0:9E:A8:65:B7:F8:C2:09:71:43:41
Another good service-level option?
There are some other good options that could be ported from openssl/s_client:
"-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
Regards.
More information about the stunnel-users
mailing list