[stunnel-users] problem with "verify=0"
wujot at home.pl
wujot at home.pl
Wed Jul 7 20:40:07 CEST 2010
Hello everybody,
The basic SSL negotiation requires the exchange of nine SSL messages. If
client authentication is required, server can send additional message
"certificate request". But this message is optional.
I'm using stunnel ver. 4.27 for Win and 4.28 for Linux. In both cases
stunnel, working as server, is sending "certificate request" message to the
client, regardless of "verify" state, even with "verify=0". When "verify=0",
server doesn't care about client's certificate. So, what for server sends
this message?
The part of my configuration and log is bellow:
[test]
accept = 60000
connect = 192.168.3.15:4679
client = no
;verify = 0
verify = none
ciphers=DES-CBC3-SHA
session = 3600
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): before/accept
initialization
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 read client
hello A
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 write server
hello A
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 write
certificate A
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 write
certificate request A <-------------???!!!
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 flush data
2010.07.07 12:53:42 LOG6[2412:4280]: VERIFY IGNORE: depth=1, /C=
..............
2010.07.07 12:53:42 LOG5[2412:4280]: CRL: verification passed
2010.07.07 12:53:42 LOG5[2412:4280]: VERIFY OK: depth=1, /C= ..........
2010.07.07 12:53:42 LOG6[2412:4280]: VERIFY IGNORE: depth=0, /C=
................
2010.07.07 12:53:42 LOG5[2412:4280]: CRL: verification passed
2010.07.07 12:53:42 LOG5[2412:4280]: VERIFY OK: depth=0, /C=
..........................
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 read client
certificate A
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 read client
key exchange a
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 read
certificate verify A
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 read finished
A
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 write change
cipher spec A
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 write
finished A
So, my question is: how to remove "certificate request" message from
stunnel-as-server negotiation?
Regards,
Wojtek
More information about the stunnel-users
mailing list