[stunnel-users] Need help: verification of client and server certificates
Mike_Stunnel at mzarlenga.com
Mon Dec 20 08:09:43 CET 2004
For my Stunnel server, I'm using Windows ME, OpenSSL 0.9.7e and Stunnel
I've create my own Certificate Authority on my server and created and
signed a server and multiple client certificates for Stunnel.
I plan to use Stunnel to secure my VNC connections to my PC - to encrypt
the traffic and to validate the clients.
On the server side:
I want to limit connections to my Stunnel server to only those Stunnel
clients that present a client certificate that I already have a copy of
on my server. And I want Stunnel server to only recognize my own
Certificate Authority as a valid CA for the clients' certificates.
Is this possible?
What options do I need to specify in the Stunnel server configuration
file to make this work?
The documentation is confusing to me - for example, do I use CAfile or
CApath to point Stunnel to the the CA certificate? Will Stunnel
recognize other CAs as trusted, if their certificates have been loaded
by other programs like a browsers or mail reader? Etcetera ..
On the client side:
As with the server, I want my Stunnel client to only recognize my own CA
as trusted. And I want it to validate the server certificate as
thoroughly as possible. Is that verify level 3?
I need the CA certificate on my client, but do I use CAfile or CAcert in
the config file to point to it?
Do I need a copy of the server certificate on my client so that the
client can verify the server's certificate?
I'm so confused!
I've read the FAQ and Related links on stunnel.org and also the past 4
months' mailing list digests but I'm still not clear on the certificate
verification process. or all the options in the configuration file.
More information about the stunnel-users