[stunnel-users] CN field of server cert

spambox at poczta.onet.pl spambox at poczta.onet.pl
Sun May 15 02:02:04 CEST 2005

>> CAfile = ThawteServerCA.txt

In my example I'm not using "CApath" option.
Is there any difference between:
 - CAfile which contains ThawteServerCA and peer cert
 - CApatch with ddc328ff.0 (ThawteServerCA) and 313fe585.0 (smtp.gmail.com peer cert) files

Both ways work fine.

> No.  You should download the peer certificate and verify it with verify=3.

Instead of downloading can I obtain this peer cert this way?
$ openssl s_client -connect smtp.gmail.com:465

> It's much better to have verify=3 and the exact certificate used
> by the server as the CAfile parameter.

That's the solution. Thank You.

More information about the stunnel-users mailing list