[stunnel-users] The verify=3 option in client mode

Philipp Hartwig philipp.hartwig at uni-due.de
Wed Apr 6 11:46:26 CEST 2011


On Sat, Jan 15, 2011 at 08:50:02PM +0100, Michal Trojnara wrote:
>   Philipp Hartwig wrote:
> > My understanding is that stunnel will now exclusively accept the  
> > server
> > certificate stored in the imaps.pem file rendering all MITM attacks
> > impossible.
> >
> > I'd be grateful if someone could confirm that this setup makes  
> > sense. Is
> > this the way the verify=3 option is supposed to use?
> 
> Yes, this is exactly the way "verify = 3" is supposed to be used.

I've just played around a bit and I'm a bit worried now that I still got 
the whole concept of "verify = 3" in client mode wrong.

I have created a CA and two different keys/certs for 127.0.0.1 signed by 
that CA. I've taken the CA cert and the first(!) of the two server certs 
and plugged them into a file "test.pem". Then I have created a section

> [test]
> accept = 127.0.0.1:4432
> connect = 127.0.0.1:4433
> CAfile = /home/ph/test.pem
> verify = 3

in my stunnel.conf and I've started a dummy s_server instance on 
127.0.0.1:4433 using the second(!) of the two server certificates.

My expectation was that a
$ telnet 127.0.0.1 4332
would fail because the server certificate in test.pem does NOT match the 
server certificate offered by the server. But to my surprise stunnel 
will happily establish the connection.

I'd be very grateful if someone could explain this to me. What did I get 
wrong?



More information about the stunnel-users mailing list