[stunnel-users] Need help: verification of client and server certificates

Mon Dec 20 08:09:43 CET 2004

For my Stunnel server, I'm using Windows ME, OpenSSL 0.9.7e and Stunnel 
4.05.

I've create my own Certificate Authority on my server and created and 
signed a server and multiple client certificates for Stunnel.

I plan to use Stunnel to secure my VNC connections to my PC - to encrypt 
the traffic and to validate the clients.

On the server side:
-------------------
I want to limit connections to my Stunnel server to only those Stunnel 
clients that present a client certificate that I already have a copy of 
on my server. And I want Stunnel server to only recognize my own 
Certificate Authority as a valid CA for the clients' certificates.

Is this possible?

What options do I need to specify in the Stunnel server configuration 
file to make this work?

The documentation is confusing to me - for example, do I use CAfile or 
CApath to point Stunnel to the the CA certificate? Will Stunnel 
recognize other CAs as trusted, if their certificates have been loaded 
by other programs like a browsers or mail reader? Etcetera ..

On the client side:
-------------------
As with the server, I want my Stunnel client to only recognize my own CA 
as trusted. And I want it to validate the server certificate as 
thoroughly as possible. Is that verify level 3?

I need the CA certificate on my client, but do I use CAfile or CAcert in 
the config file to point to it?

Do I need a copy of the server certificate on my client so that the 
client can verify the server's certificate?

I'm so confused!

I've read the FAQ and Related links on stunnel.org and also the past 4 
months' mailing list digests but I'm still not clear on the certificate 
verification process. or all the options in the configuration file.