[stunnel-users] Confusion regarding part of stunnel.conf
Ludolf Holzheid
lholzheid at bihl-wiedemann.de
Thu Feb 10 09:37:21 CET 2011
On Wed, 2011-02-09 18:13:30 -0600, Dave wrote:
> [..]
>
> 1) What are the necessary settings for "authentication stuff" to prevent
> the MITM attack vector mentioned in stunnel.conf?
As far as I understood the whole thing, you need level two or three to
force the peer to use a certificate at all.
> 2) What is the proper way to set up (self-signed) certs to prevent such
> an attack? Can a self-signed cert be used at a verify level of 2 or 3?
Self-signed certificates can't be checked against a certificate
authority (and can't be revoked). For self-signed certificates to be
handled sensibly, you need level three.
BTW, level three is not 'higher' than level two, just 'different':
Level two checks the certificate against a CA, while level three
checks it for being locally installed.
HTH,
Ludolf
--
---------------------------------------------------------------
Ludolf Holzheid Tel: +49 621 339960
Bihl+Wiedemann GmbH Fax: +49 621 3392239
Floßwörthstraße 41 e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------
More information about the stunnel-users
mailing list