[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Jochen Bern Jochen.Bern at LINworks.de
Wed Oct 26 18:56:11 CEST 2011


On 10/26/2011 05:56 PM, al_9x at yahoo.com wrote:
> On 10/26/2011 3:43 AM, Jochen Bern wrote:
>> So I'd guess that the algorithm you're at odds with is part of OpenSSL,
>> rather than something stunnel can change.
> Trusting a specific server cert is a viable validation strategy, I doubt
> openssl makes that impossible.

Unlike with stunnel, I'm able to forgo belief and put OpenSSL to the
test pretty much wherever my laptop happens to be running:

$ openssl s_client -showcerts -connect imaps:imaps > Server.crt 2>&1
1 LOGOUT

$  grep -n CERT Server.crt
15:-----BEGIN CERTIFICATE-----
35:-----END CERTIFICATE-----

$ openssl s_client -verify 5 -CAfile Server.crt \
> -connect imaps:imaps 2>&1 | grep Verify
    Verify return code: 21 (unable to verify the first certificate)
1 LOGOUT

$ openssl s_client -verify 5 -CAfile /etc/openvpn/*-ca-cert.pem \
> -connect imaps:imaps 2>&1 | grep Verify
    Verify return code: 0 (ok)
1 LOGOUT

Regards,
								J. Bern
-- 
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel



More information about the stunnel-users mailing list