[stunnel-users] OCSP Responders in AIA extension

Ender Erel ender.erel at icterra.com
Wed Jan 22 16:55:13 CET 2014


Thanks for the feedback, I really appreciate it.

I just have one more question. Let's say the server presents a certificate chain, and the order of certificates in the pem file I saved is different than how the server presented it. Would the connection still be successful? Or is the order of the certificates in the pem file important?

Regards,
Ender

From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Michal Trojnara
Sent: Wednesday, January 22, 2014 12:59 AM
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] OCSP Responders in AIA extension

Hi Ender,

The AIA extension is indeed currently ignored by stunnel.
This feature is on my TODO list.  I hope to find time to implement it.
I cannot just apply the patch, as it doesn't have a license.  I also don't accept copyleft (e.g. GPL) patches.

The configuration you described seems to be correct.

Mike

On 2014-01-20 14:22, Ender Erel wrote:
I am sorry, it seems I forgot the link to the e-mail I mentioned.

https://www.stunnel.org/pipermail/stunnel-users/2008-July/002068.html

Any ideas?

Regards,
Ender Erel

From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ender Erel
Sent: Friday, January 17, 2014 3:31 PM
To: stunnel-users at stunnel.org<mailto:stunnel-users at stunnel.org>
Subject: [stunnel-users] OCSP Responders in AIA extension

Hi All,

Does stunnel check the OCSP responders found in a certificate's AIA field? I am asking this because in the following e-mail from back 2008, the sender mentions a patch that implements this functionality. The patch is included with the mail but I don't think it is included in the later versions of stunnel. Does this mean OCSP responders inside a receied certificate are ignored?

I also want to ask another thing. When using verify = 3 in client mode, which file is used to check the received certificate? Is it the CAfile?
If so, would it work like this:

-          I manually opened a connection to a server outside stunnel, downloaded the server's certificate, and closed the connection.

-          I saved this certificate to a file, and wrote the path of this file in the stunnel configuration file (CAfile = /mycerts/tmpcert.pem,verify=3).

-          I started stunnel and initiated a connection to the server.
Would the connection be successful? Would it be the right way to use verify=3?

Kind Regards,
Ender Erel




_______________________________________________

stunnel-users mailing list

stunnel-users at stunnel.org<mailto:stunnel-users at stunnel.org>

https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140122/ce4d2142/attachment.html>


More information about the stunnel-users mailing list