[stunnel-users] CN field of server cert

spambox at poczta.onet.pl spambox at poczta.onet.pl
Sat May 14 22:50:20 CEST 2005

Hi  stunnel-users,

There is example configuration:

client = yes
foreground = yes
ciphers = DES-CBC3-SHA
verify = 2
CAfile = ThawteServerCA.txt

accept =
connect = smtp.gmail.com:465
#connect =

I don't know how to enforce stunnel to verify CN field from server provided certificate.
Even if i change "connect" field to next one stunnel will not complain.

So, am I wrong that when someone hijack (mitm) this connection and provide any server cert signed by ThawteServerCA then I loose?
Please add this verification to stunnel when verify is set to 2 or better as an separate option "verify_cn?" which could be used in service-level context.

Usting this option with that described below I can drop 'verify' and 'CAfile' at all and feel much better. :)

There is another verification method that could be added - not related to verify option. In most cases I know public cert of remote server. So I also know sha1/md5 fingerprint of that cert.

Security could improve v.much by just adding these lines to my example configuration:

Another good service-level option?

There are some other good options that could be ported from openssl/s_client:
"-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"


More information about the stunnel-users mailing list