[stunnel-users] need help with verify 1 option

Olivier twist twist_54 at hotmail.com
Fri Jan 13 10:50:45 CET 2006

> > In past, I always used stunnel with option verify set at 2. Works fine.
> >
> > But since few days I have a basic use of ssl connection and need only 
>server certificate and I use classical browser like Netscape
> > on client side.
> >
> > If I don't set verify at 1, the cerfication chain is broken, I see it in 
>Netscape. If I try to set verify at 1 then the
> > certification chain is valid BUT before the connection the browser ask 
>me for a client certificate !! I click cancel and it works
> > but I don't want that the browser ask for a client certificate ! I don't 
>have this problem with apache mod ssl but.... I don't want
> > to use apache because I have only port redirection to do on non-http 
>protocole and it seems that we can't do redirection on
> > non-http protocole with proxy module for example.
> >
> > Have you an idea?

>Maybe.  You say you only want to verify the server certificate, right?
>Then why ask for a client certificate?  verify = 1 says 'verify peer
>certificate if present'.  Hence, it will verify the *client certificate*
>if you have one.  So it will ask you for one.  Just don't do verify on
>your stunnel server and you should be OK.

If you use a certificate signed by third party, the server checks the 
certification chain when user connects to server. That's the reason why you 
have to store intermediates certificates in the CA FILE. If verify is not 
set at 1, stunnel doesn't check the certification chain and on client side 
the certification chain appears broken.


More information about the stunnel-users mailing list