[stunnel-users] certificate root chain
Olivier twist
twist_54 at hotmail.com
Thu Feb 9 10:53:08 CET 2006
Hello,
I've already sent a message for my problem but no answer.
I have a server certificate signed by GlobalSign. I don't want to use client
certificate.
But if I don't put the certification chain on the CAFILE of stunnel and
don't set verify at 1, stunnel doesn't check the server certification chain
and the server certificate appears broken on client side !!!
I've post this problem on the stunnel mailing list but you tell me that if I
don't use client certificate I don't have to set verify at 1. But it doesn't
work, and why GlobalSign and others explain how to install server
certificatation chain on servers like apache mod ssl?(see
http://support.globalsign.net/en/serversign/apachemodssl.cfm) when I read
this help file I suppose that the ssl protocol on server side makes a check
of server certificate, and that's the reason why the certificate chain
appears broken or not on client side.
My current ugly solution is to set verify at 1, in this case, on client
side, the certificate appears good and not broken but... a dialog box
appears and ask for client certificate and some plugin like flash doesn't
support that.
i use stunnel 4.14
stunnel.conf:
cert = c:\certif\inTest.crt
key = c:\certif\inTest.key
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 1
CAfile = c:\certif\ca.pem
;client = yes
[https]
accept = 443
connect = 127.0.0.1:901
TIMEOUTclose = 0
[rtmps]
accept = 80
connect = 127.0.0.1:900
TIMEOUTclose = 0
Could anybody gives me a support?
Thx
Oliver
More information about the stunnel-users
mailing list