[stunnel-users] CN field of server cert

• Previous message (by thread): [stunnel-users] Problems with stunnel 4.10 compilation
• Next message (by thread): [stunnel-users] CN field of server cert
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi  stunnel-users,

There is example configuration:

<!--
client = yes
foreground = yes
ciphers = DES-CBC3-SHA
verify = 2
CAfile = ThawteServerCA.txt

[asd]
accept = 127.0.0.1:60465
connect = smtp.gmail.com:465
#connect = 64.233.185.109:465
-->

I don't know how to enforce stunnel to verify CN field from server provided certificate.
Even if i change "connect" field to next one stunnel will not complain.

So, am I wrong that when someone hijack (mitm) this connection and provide any server cert signed by ThawteServerCA then I loose?
Please add this verification to stunnel when verify is set to 2 or better as an separate option "verify_cn?" which could be used in service-level context.

Usting this option with that described below I can drop 'verify' and 'CAfile' at all and feel much better. :)

There is another verification method that could be added - not related to verify option. In most cases I know public cert of remote server. So I also know sha1/md5 fingerprint of that cert.

Security could improve v.much by just adding these lines to my example configuration:
fingerprint_md5=F5:BD:C3:C8:D5:4B:03:EA:57:BB:81:72:46:6B:26:54
fingerprint_sha1=CE:3A:0D:3E:DA:4B:77:A3:53:C0:9E:A8:65:B7:F8:C2:09:71:43:41

Another good service-level option?

There are some other good options that could be ported from openssl/s_client:
"-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"

Regards.

• Previous message (by thread): [stunnel-users] Problems with stunnel 4.10 compilation
• Next message (by thread): [stunnel-users] CN field of server cert
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]