[stunnel-users] need help with verify 1 option

Jan Meijer jan.meijer at surfnet.nl
Fri Jan 13 10:38:40 CET 2006


On Wed, 11 Jan 2006, Olivier twist wrote:

> In past, I always used stunnel with option verify set at 2. Works fine.
>
> But since few days I have a basic use of ssl connection and need only server certificate and I use classical browser like Netscape
> on client side.
>
> If I don't set verify at 1, the cerfication chain is broken, I see it in Netscape. If I try to set verify at 1 then the
> certification chain is valid BUT before the connection the browser ask me for a client certificate !! I click cancel and it works
> but I don't want that the browser ask for a client certificate ! I don't have this problem with apache mod ssl but.... I don't want
> to use apache because I have only port redirection to do on non-http protocole and it seems that we can't do redirection on
> non-http protocole with proxy module for example.
>
> Have you an idea?

Maybe.  You say you only want to verify the server certificate, right?
Then why ask for a client certificate?  verify = 1 says 'verify peer
certificate if present'.  Hence, it will verify the *client certificate*
if you have one.  So it will ask you for one.  Just don't do verify on
your stunnel server and you should be OK.

> I use stunnel 4.14.

Jan
-- 
http://www.surfnet.nl/organisatie/jame




More information about the stunnel-users mailing list