[stunnel-users] certificate root chain

Thu Feb 9 11:12:51 CET 2006

On Thu, 9 Feb 2006, Olivier twist wrote:

> I've already sent a message for my problem but no answer.

Try to be a little more patient.  The people who give support on this list
are generally busy people who are kind enough to provide support on
stunnel to the broader community on a volunteer basis, free of charge.
But they do have regular jobs.

> I have a server certificate signed by GlobalSign. I don't want to use client
> certificate.
> But if I don't put the certification chain on the CAFILE of stunnel and don't
> set verify at 1, stunnel doesn't check the server certification chain and the
> server certificate appears broken on client side !!!
> I've post this problem on the stunnel mailing list but you tell me that if I
> don't use client certificate I don't have to set verify at 1. But it doesn't
> work, and why GlobalSign and others explain how to install server
> certificatation chain on servers like apache mod ssl?(see
> http://support.globalsign.net/en/serversign/apachemodssl.cfm) when I read this
> help file I suppose that the ssl protocol on server side makes a check of
> server certificate, and that's the reason why the certificate chain appears
> broken or not on client side.

>From your description I gather that you have stunnel at both the client
and server side?  If so, try to set verify=1 at the *client side* to
verify the server certificate chain and do not do verify at the server
side.  If I remember correctly you should put the CA chain in the
'server.pem' file together with your server certificate.

Jan
-- 
http://www.surfnet.nl/organisatie/jame