[stunnel-users] problem with "verify=0"

wujot at home.pl wujot at home.pl
Wed Jul 7 20:40:07 CEST 2010


Hello everybody,

The basic SSL negotiation requires the exchange of nine SSL messages. If 
client authentication is required, server can send additional message 
"certificate request". But this message is optional.

I'm using stunnel ver. 4.27 for Win and 4.28 for Linux. In both cases 
stunnel, working as server, is sending "certificate request" message to the 
client, regardless of "verify" state, even with "verify=0". When "verify=0", 
server doesn't care about client's certificate. So, what for server sends 
this message?
The part of my configuration and log is bellow:


[test]
accept = 60000
connect = 192.168.3.15:4679
client = no
;verify = 0
verify = none
ciphers=DES-CBC3-SHA
session = 3600


2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): before/accept 
initialization
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 read client 
hello A
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 write server 
hello A
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 write 
certificate A
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 write 
certificate request A         <-------------???!!!
2010.07.07 12:53:35 LOG7[2412:4280]: SSL state (accept): SSLv3 flush data
2010.07.07 12:53:42 LOG6[2412:4280]: VERIFY IGNORE: depth=1, /C= 
..............
2010.07.07 12:53:42 LOG5[2412:4280]: CRL: verification passed
2010.07.07 12:53:42 LOG5[2412:4280]: VERIFY OK: depth=1, /C= ..........
2010.07.07 12:53:42 LOG6[2412:4280]: VERIFY IGNORE: depth=0, /C= 
................
2010.07.07 12:53:42 LOG5[2412:4280]: CRL: verification passed
2010.07.07 12:53:42 LOG5[2412:4280]: VERIFY OK: depth=0, /C= 
..........................
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 read client 
certificate A
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 read client 
key exchange a
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 read 
certificate verify A
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 read finished 
A
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 write change 
cipher spec A
2010.07.07 12:53:42 LOG7[2412:4280]: SSL state (accept): SSLv3 write 
finished A


So, my question is: how to remove "certificate request" message from 
stunnel-as-server negotiation?

Regards,
  Wojtek





More information about the stunnel-users mailing list