[stunnel-users] Weird verify behaviour using intermediate CAs
Simon Vallet
sjv at genoscope.cns.fr
Wed Sep 30 15:01:31 CEST 2009
Hi,
we're trying to make use of stunnel here for proxy purposes : any
certificate-authenticated SSL client connection from the Internet would
be forwarded to some internal server.
This works fine, but I found some surprising behaviour when verifying
client certificates. Consider the following setup, using an
intermediate client CA :
* RootCA
** UserCA1
*** UserCert1
** UserCA2
*** UserCert2
To make this work, it seems I only have to include the Root CA
certificate in either a CAfile or a directory of trusted certificates.
I would have expected to have to include the intermediate CA (which is
signing the user certificate), but it seems it is not the case.
What worries me is that now *any* end-entity certificate which has been
issued by *other* intermediate CAs is accepted as valid, i.e. UserCert2
is accepted as valid, even if I don't include UserCA2 anywhere in
the configuration.
Is this really the intended behaviour ? If not, what would I be
missing ?
Simon
stunnel.conf -----------------------------------------------------------
connect = 127.0.0.1:25
CApath = /etc/stunnel/certs
cert = /etc/stunnel/apollon.genoscope.cns.fr-RevChain.pem
key = /etc/stunnel/apollon.genoscope.cns.fr-Key.pem
verify = 2
debug = 7
------------------------------------------------------------------------
[root at apollon certs]# ls -l /etc/stunnel/certs/
total 4
lrwxrwxrwx 1 root root 28 sep 30 11:01 9a5490ff.0 -> GenoscopeACRacine.cacert.pem
-rw-r--r-- 1 root root 2269 sep 15 11:47 GenoscopeACRacine.cacert.pem
[root at apollon certs]#
More information about the stunnel-users
mailing list