[stunnel-users] certificate root chain

Olivier twist twist_54 at hotmail.com
Thu Feb 9 10:53:08 CET 2006


Hello,

I've already sent a message for my problem but no answer.

I have a server certificate signed by GlobalSign. I don't want to use client 
certificate.
But if I don't put the certification chain on the CAFILE of stunnel and 
don't set verify at 1, stunnel doesn't check the server certification chain 
and the server certificate appears broken on client side !!!
I've post this problem on the stunnel mailing list but you tell me that if I 
don't use client certificate I don't have to set verify at 1. But it doesn't 
work, and why GlobalSign and others explain how to install server 
certificatation chain on servers like apache mod ssl?(see 
http://support.globalsign.net/en/serversign/apachemodssl.cfm) when I read 
this help file I suppose that the ssl protocol on server side makes a check 
of server certificate, and that's the reason why the certificate chain 
appears broken or not on client side.

My current ugly solution is to set verify at 1, in this case, on client 
side, the certificate appears good and not broken but... a dialog box 
appears and ask for client certificate and some plugin like flash doesn't 
support that.

i use stunnel 4.14
stunnel.conf:

cert = c:\certif\inTest.crt
key = c:\certif\inTest.key

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

verify = 1
CAfile = c:\certif\ca.pem

;client = yes

[https]
accept  = 443
connect = 127.0.0.1:901
TIMEOUTclose = 0

[rtmps]
accept  = 80
connect = 127.0.0.1:900
TIMEOUTclose = 0


Could anybody gives me a support?

Thx

Oliver





More information about the stunnel-users mailing list