[stunnel-users] need help with verify 1 option
Jan Meijer
jan.meijer at surfnet.nl
Fri Jan 13 10:38:40 CET 2006
On Wed, 11 Jan 2006, Olivier twist wrote:
> In past, I always used stunnel with option verify set at 2. Works fine.
>
> But since few days I have a basic use of ssl connection and need only server certificate and I use classical browser like Netscape
> on client side.
>
> If I don't set verify at 1, the cerfication chain is broken, I see it in Netscape. If I try to set verify at 1 then the
> certification chain is valid BUT before the connection the browser ask me for a client certificate !! I click cancel and it works
> but I don't want that the browser ask for a client certificate ! I don't have this problem with apache mod ssl but.... I don't want
> to use apache because I have only port redirection to do on non-http protocole and it seems that we can't do redirection on
> non-http protocole with proxy module for example.
>
> Have you an idea?
Maybe. You say you only want to verify the server certificate, right?
Then why ask for a client certificate? verify = 1 says 'verify peer
certificate if present'. Hence, it will verify the *client certificate*
if you have one. So it will ask you for one. Just don't do verify on
your stunnel server and you should be OK.
> I use stunnel 4.14.
Jan
--
http://www.surfnet.nl/organisatie/jame
More information about the stunnel-users
mailing list