[stunnel-users] The verify=3 option in client mode

• Previous message (by thread): [stunnel-users] Question of stunnel/openssl for X86 processor -- Pierre's patch
• Next message (by thread): [stunnel-users] The verify=3 option in client mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I'm using stunnel in client mode to provide an SSL connection for 
offlineimap[1] which does not support verification of SSL certificates.

As I've read stunnel does not compare the name of the server offering 
the certificate to the server name mentioned in the certificate (in the 
CN field for example). So if I used the following section in my 
stunnel.conf

  client=yes

  [imaps]
  accept  = 127.0.0.1:4322
  connect = imap.gmail.com:993
  CAfile = /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt
  verify = 2

stunnel would happily accept any certificate signed by Equifax for an 
arbitrary website. Is this correct?

So I've switched to using the verify=3 option and I just want to make 
sure I configured it correctly.

I'm now using the following section

  client=yes

  [imaps]
  accept  = 127.0.0.1:4322
  connect = imap.gmail.com:993
  CAfile= /home/ph/.certs/imaps.pem
  verify = 3

imaps.pem is a file containing two certificates, namely the first 
and the last certificate in the certificate chain of imap.gmail.com, 
that is the Equifax CA certificate and the server certificate itself.

I then use offlineimap to establish an unencrypted connection to 
127.0.0.1:4322.

My understanding is that stunnel will now exclusively accept the server 
certificate stored in the imaps.pem file rendering all MITM attacks 
impossible.

I'd be grateful if someone could confirm that this setup makes sense. Is 
this the way the verify=3 option is supposed to use? First I thought 
that it should be enough to just provide the server certificate in the 
imaps.pem file, but then openssl would complain about a self-signed 
certificate, so I included the CA certificate as well.

Regards,
Philipp

[1] https://github.com/jgoerzen/offlineimap/wiki/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4611 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110112/311083bf/attachment.bin>

• Previous message (by thread): [stunnel-users] Question of stunnel/openssl for X86 processor -- Pierre's patch
• Next message (by thread): [stunnel-users] The verify=3 option in client mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]