[stunnel-users] certificate root chain
jan.meijer at surfnet.nl
Thu Feb 9 11:12:51 CET 2006
On Thu, 9 Feb 2006, Olivier twist wrote:
> I've already sent a message for my problem but no answer.
Try to be a little more patient. The people who give support on this list
are generally busy people who are kind enough to provide support on
stunnel to the broader community on a volunteer basis, free of charge.
But they do have regular jobs.
> I have a server certificate signed by GlobalSign. I don't want to use client
> But if I don't put the certification chain on the CAFILE of stunnel and don't
> set verify at 1, stunnel doesn't check the server certification chain and the
> server certificate appears broken on client side !!!
> I've post this problem on the stunnel mailing list but you tell me that if I
> don't use client certificate I don't have to set verify at 1. But it doesn't
> work, and why GlobalSign and others explain how to install server
> certificatation chain on servers like apache mod ssl?(see
> http://support.globalsign.net/en/serversign/apachemodssl.cfm) when I read this
> help file I suppose that the ssl protocol on server side makes a check of
> server certificate, and that's the reason why the certificate chain appears
> broken or not on client side.
>From your description I gather that you have stunnel at both the client
and server side? If so, try to set verify=1 at the *client side* to
verify the server certificate chain and do not do verify at the server
side. If I remember correctly you should put the CA chain in the
'server.pem' file together with your server certificate.
More information about the stunnel-users