[stunnel-users] Authenticate both client and server?
Carter Browne
cbrowne at cbcs-usa.com
Mon Nov 23 14:32:39 CET 2009
I verify both server and client using both self-signed and
non-self-signed certificates. If the certificates are not all
self-signed, verify should be set to 2 and not 3. Verify=2 will follow
the certificate chain whereas verify=3 will not. As a I have a mixture
of Windows and Linux computers, I find it much easier to use the
hashcode as the file name.
Carter
Carter Browne
CBCS
cbrowne at cbcs-usa.com
781-721-2890
Kārlis Repsons wrote:
> On Monday 23 November 2009 09:34:22 Ludolf Holzheid wrote:
>
>>>> cert = pemfile
>>>> certificate chain PEM file name
>>>>
>>>> A PEM is always needed in server mode. Specifying this
>>>> flag in client mode will use this certificate chain as a
>>>> client side certificate chain. Using client side certs is
>>>> optional. The certificates must be in PEM format and must
>>>> be sorted starting with the certificate to the highest
>>>> level (root CA).
>>>>
>> I think this says, the file given in the 'cert=' line in stunnel.conf
>> must include the whole certificate chain.
>>
>>
>>> I also tried with adding root-ca.pem to the bottom of server and
>>> client .pem, but the same bum. Do you have any idea at this point?
>>>
>> The man page says this has to be the other way 'round (starting with
>> CA).
>>
>
> Well, the result on my side is as follows...
>
>
> "must be sorted starting with the certificate to the highest level (root CA).":
>
> I would like to assert the intended meaning of this. To me it means "from the
> assigned certificate down to root ca"! My English bug? How was that meant
> really?
> Suppose Ludolf's right about "from root-ca to the assigned cert.": c_rehash
> gives equal hashes for all @[root-ca.pem, server.descend.pem,
> client.descend.pem]...
>
>
> On the other hand, when tried from assigned down to root, the self signed
> root-ca is tried to verify and it fails, saying "VERIFY ERROR: depth=1,
> error=self signed certificate in certificate chain" and "certificate verify
> failed".
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
>
More information about the stunnel-users
mailing list