[stunnel-users] Verify=2 and Verification Depth...

Matt Wise matt at nextdoor.com
Mon Apr 28 23:31:22 CEST 2014


Anyone have any thoughts here? We're going through the process of splitting
up all of our SubCAs out into their own dedicated RootCAs, but that doesn't
seem like a great option. It would be much better if we could simply
specify the verification depth for Stunnel. Thoughts on how hard this might
be to add?

Matt Wise
Sr. Systems Architect
Nextdoor.com


On Fri, Apr 11, 2014 at 9:21 AM, Matt Wise <matt at nextdoor.com> wrote:

> It was my understanding that when you have an Stunnel Server configured
> with 'verify=2', that the client that connects must have a certificate
> signed by the same CA/SubCA combination that the server does. So for
> example:
>
>   - My_Root_Ca (private CA)
>     - Some_Random_Cert.pem
>     - Stunnel_Sub_Ca:
>       - Server.pem
>       - Client.pem
>     - Postgres_Sub_Ca:
>       - Server.pem
>       - postgres_user.pem
>
> With the above structure in place (and the stunnel server using
> Stunnel_Sub_Ca/Server.pem) if someone tried to connect in with the
> Stunnel_Sub_Ca/Client.pem cert, it would work... but if they tried to
> connect in with Postgres_Sub_Ca/Server.pem, it wouldn't.
>
> Unfortunately we're not seeing that behavior... we're seeing a behavior
> where *every* cert signed by the overall Root CA is validated. We're able
> to connect in using Some_Random_Cert.pem, Postgres_Sub_Ca/Server.pem and
> Postgres_Sub_Ca/postgres_user.pem.
>
> This feels wrong ... what am I missing?
>
> (We're using Stunnel 4.55 btw)
>
> Matt Wise
> Sr. Systems Architect
> Nextdoor.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140428/4704e570/attachment.html>


More information about the stunnel-users mailing list