[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
Jochen Bern
Jochen.Bern at LINworks.de
Wed Oct 26 18:56:11 CEST 2011
On 10/26/2011 05:56 PM, al_9x at yahoo.com wrote:
> On 10/26/2011 3:43 AM, Jochen Bern wrote:
>> So I'd guess that the algorithm you're at odds with is part of OpenSSL,
>> rather than something stunnel can change.
> Trusting a specific server cert is a viable validation strategy, I doubt
> openssl makes that impossible.
Unlike with stunnel, I'm able to forgo belief and put OpenSSL to the
test pretty much wherever my laptop happens to be running:
$ openssl s_client -showcerts -connect imaps:imaps > Server.crt 2>&1
1 LOGOUT
$ grep -n CERT Server.crt
15:-----BEGIN CERTIFICATE-----
35:-----END CERTIFICATE-----
$ openssl s_client -verify 5 -CAfile Server.crt \
> -connect imaps:imaps 2>&1 | grep Verify
Verify return code: 21 (unable to verify the first certificate)
1 LOGOUT
$ openssl s_client -verify 5 -CAfile /etc/openvpn/*-ca-cert.pem \
> -connect imaps:imaps 2>&1 | grep Verify
Verify return code: 0 (ok)
1 LOGOUT
Regards,
J. Bern
--
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
More information about the stunnel-users
mailing list