[stunnel-users] The verify=3 option in client mode
Philipp Hartwig
philipp.hartwig at uni-due.de
Wed Jan 12 10:12:08 CET 2011
Hello,
I'm using stunnel in client mode to provide an SSL connection for
offlineimap[1] which does not support verification of SSL certificates.
As I've read stunnel does not compare the name of the server offering
the certificate to the server name mentioned in the certificate (in the
CN field for example). So if I used the following section in my
stunnel.conf
client=yes
[imaps]
accept = 127.0.0.1:4322
connect = imap.gmail.com:993
CAfile = /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt
verify = 2
stunnel would happily accept any certificate signed by Equifax for an
arbitrary website. Is this correct?
So I've switched to using the verify=3 option and I just want to make
sure I configured it correctly.
I'm now using the following section
client=yes
[imaps]
accept = 127.0.0.1:4322
connect = imap.gmail.com:993
CAfile= /home/ph/.certs/imaps.pem
verify = 3
imaps.pem is a file containing two certificates, namely the first
and the last certificate in the certificate chain of imap.gmail.com,
that is the Equifax CA certificate and the server certificate itself.
I then use offlineimap to establish an unencrypted connection to
127.0.0.1:4322.
My understanding is that stunnel will now exclusively accept the server
certificate stored in the imaps.pem file rendering all MITM attacks
impossible.
I'd be grateful if someone could confirm that this setup makes sense. Is
this the way the verify=3 option is supposed to use? First I thought
that it should be enough to just provide the server certificate in the
imaps.pem file, but then openssl would complain about a self-signed
certificate, so I included the CA certificate as well.
Regards,
Philipp
[1] https://github.com/jgoerzen/offlineimap/wiki/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4611 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110112/311083bf/attachment.bin>
More information about the stunnel-users
mailing list