[stunnel-users] Weird verify behaviour using intermediate CAs

delaage.pierre at free.fr delaage.pierre at free.fr
Thu Oct 1 06:44:12 CEST 2009


Hello,
Everything should work "securely" once you have usercert2 hash present in your
CApath (and client cert file present of course somewhere on the server), and
that there is really a chain from that cert to the related rootca (the chain
should be present in the client cert file, so there is no need to declare chains
in stunnel server conf file). If it is the case, we can say that your server has
issued the client certificate, in a way or another, and client cert validation
will work.

What would be really worrying would be if usercert2 was validated while being
not present in CApath: but this is not the case, isn't it...

Pierre

Quoting Simon Vallet <sjv at genoscope.cns.fr>:

> Hi,
>
> we're trying to make use of stunnel here for proxy purposes : any
> certificate-authenticated SSL client connection from the Internet would
> be forwarded to some internal server.
>
> This works fine, but I found some surprising behaviour when verifying
> client certificates. Consider the following setup, using an
> intermediate client CA :
>
> * RootCA
> ** UserCA1
> *** UserCert1
>
> ** UserCA2
> *** UserCert2
>
> To make this work, it seems I only have to include the Root CA
> certificate in either a CAfile or a directory of trusted certificates.
> I would have expected to have to include the intermediate CA (which is
> signing the user certificate), but it seems it is not the case.
>
> What worries me is that now *any* end-entity certificate which has been
> issued by *other* intermediate CAs is accepted as valid, i.e. UserCert2
> is accepted as valid, even if I don't include UserCA2 anywhere in
> the configuration.
>
> Is this really the intended behaviour ? If not, what would I be
> missing ?
>
> Simon
>
> stunnel.conf -----------------------------------------------------------
>
> connect = 127.0.0.1:25
> CApath = /etc/stunnel/certs
> cert = /etc/stunnel/apollon.genoscope.cns.fr-RevChain.pem
> key = /etc/stunnel/apollon.genoscope.cns.fr-Key.pem
> verify = 2
> debug = 7
>
> ------------------------------------------------------------------------
>
> [root at apollon certs]# ls -l /etc/stunnel/certs/
> total 4
> lrwxrwxrwx 1 root root   28 sep 30 11:01 9a5490ff.0 ->
> GenoscopeACRacine.cacert.pem
> -rw-r--r-- 1 root root 2269 sep 15 11:47 GenoscopeACRacine.cacert.pem
> [root at apollon certs]#
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>





More information about the stunnel-users mailing list