[stunnel-users] The verify=3 option in client mode
Philipp Hartwig
philipp.hartwig at uni-due.de
Wed Apr 6 11:46:26 CEST 2011
On Sat, Jan 15, 2011 at 08:50:02PM +0100, Michal Trojnara wrote:
> Philipp Hartwig wrote:
> > My understanding is that stunnel will now exclusively accept the
> > server
> > certificate stored in the imaps.pem file rendering all MITM attacks
> > impossible.
> >
> > I'd be grateful if someone could confirm that this setup makes
> > sense. Is
> > this the way the verify=3 option is supposed to use?
>
> Yes, this is exactly the way "verify = 3" is supposed to be used.
I've just played around a bit and I'm a bit worried now that I still got
the whole concept of "verify = 3" in client mode wrong.
I have created a CA and two different keys/certs for 127.0.0.1 signed by
that CA. I've taken the CA cert and the first(!) of the two server certs
and plugged them into a file "test.pem". Then I have created a section
> [test]
> accept = 127.0.0.1:4432
> connect = 127.0.0.1:4433
> CAfile = /home/ph/test.pem
> verify = 3
in my stunnel.conf and I've started a dummy s_server instance on
127.0.0.1:4433 using the second(!) of the two server certificates.
My expectation was that a
$ telnet 127.0.0.1 4332
would fail because the server certificate in test.pem does NOT match the
server certificate offered by the server. But to my surprise stunnel
will happily establish the connection.
I'd be very grateful if someone could explain this to me. What did I get
wrong?
More information about the stunnel-users
mailing list