[stunnel-users] stunnel sends empty list of trusted CAs
Michal Trojnara
Michal.Trojnara at mirt.net
Wed Mar 31 21:07:59 CEST 2010
Sebastian Bork wrote:
> The normal setup is "verify = 3" and the complete certificate chain for
> each partner is put into the CA path. In most cases, this works without
> problems. However, in the handshake, after the server certificate is sent
> and stunnel asks the client to send a client certificate, stunnel sends an
> empty list of triusted CAs.
You should have implemented it the other way around:
The "cert" option should contain the complete certificate chain of stunnel, and
"CApath"/"CAfile" should only contain the trusted CA certificate for "verify =
2", and the trusted peer certificate for "verify = 3".
Basically "cert" option selects certificates to send, and "CApath"/"CAfile"
options selects certificates to authenticate the other machine.
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100331/6217214e/attachment.sig>
More information about the stunnel-users
mailing list