[stunnel-users] CN field of server cert

Michal Trojnara Michal.Trojnara at mirt.net
Sun May 15 00:24:11 CEST 2005


Dear Anonymous,

(where is the traditional Polish politeness...)

On Saturday 14 of May 2005 22:50, spambox at poczta.onet.pl wrote:
> client = yes
> verify = 2
> CAfile = ThawteServerCA.txt
> [asd]
> accept = 127.0.0.1:60465
> connect = smtp.gmail.com:465

I don't think it's a good idea.  You probably don't really *trust*
all companies that have a certificate signed by Thawte.

It's much better to have verify=3 and the exact certificate used
by the server as the CAfile parameter.

> I don't know how to enforce stunnel to verify CN field from server provided
> certificate.

What you need is cryptographic authentication.
CN verification is vulnerable to DNS poisoning.

> So, am I wrong that when someone hijack (mitm) this connection and provide
> any server cert signed by ThawteServerCA then I loose? Please add this
> verification to stunnel when verify is set to 2 or better as an separate
> option "verify_cn?" which could be used in service-level context.

No.  I'm not going to give users a false sense of security.

> Usting this option with that described below I can drop 'verify' and
> 'CAfile' at all and feel much better. :)

No.  You should download the peer certificate and verify it with verify=3.

Best regards,
    Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20050515/4f328876/attachment.sig>


More information about the stunnel-users mailing list