<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello again,<br>
More precisely : that option should be set on the machine that has
generated the certificate : probably not your "client" one...<br>
but a kind of CA server somewhere...<br>
<br>
Not related at all to stunnel. <br>
<br>
You should subscribe to openssl mailing lists here :<br>
<a class="moz-txt-link-freetext" href="http://www.openssl.org/support/community.html">http://www.openssl.org/support/community.html</a><br>
<br>
Best<br>
Pierre Delaage<br>
<br>
<br>
Le 11/03/2014 05:31, Athir Nuaimi a écrit :<br>
</div>
<blockquote
cite="mid:CAEGfm8WK5=3rg7ZGv53E+eTnPBsE_JDXWxiQy1jfwV2k07hmFw@mail.gmail.com"
type="cite">
<div dir="ltr">I'm trying to write a go program to connect to an
stunnel server and verify the certificate but it fails because
the go language requires that self-signed certs have keyCertSign
set in the keyUsages. the default stunnel.cnf does not set
this. According to the following message thread this is
required by RFC 5280.
<div>
<br>
<div><a moz-do-not-send="true"
href="https://groups.google.com/forum/#%21msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ">https://groups.google.com/forum/#!msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ</a><br>
</div>
<div>
<div><br>
</div>
<div>The solution to this is to add 'keyUsage = keyCertSign'
to the stunnel.cnf.</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
stunnel-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a>
<a class="moz-txt-link-freetext" href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a>
</pre>
</blockquote>
<br>
</body>
</html>