[stunnel-users] stunnel client mode and CA chains

Domenico Andreoli cavokz at gmail.com
Wed Jun 13 18:15:59 CEST 2007


  I have always successfully used openssl/stunnel but now I am facing
a new problem, a variation of the usual client-side authentication
documentented everywhere.

I have a root CA and child CA which is signed by the root one. I have
also a client certificate that is signed only by the child CA.

In order to verify the certificate signature using openssl I need to
specify both the CA certificates, this works as expected.

What I would like to achieve is to authenticate the clients using a
stunnel server having only the root CA certificate. Is there some stunnel
client configuration switch that allows to push the child CA certificate?

One looking interesting is (from the manpage):

  cert = pemfile
    certificate chain PEM file name

    A PEM is always needed in server mode.  Specifying this flag in client mode will use this certificate chain as a client side certificate
    chain.  Using client side certs is optional.  The certificates must be in PEM format and must be sorted starting with the certificate to the
    highest level (root CA).

in particular "The certificates must be in PEM format and must be
sorted starting with the certificate to the highest level (root CA)"
lets me hope but I am not able to understand how it works.

I made many tries but on server side I always get a "VERIFY ERROR:
depth=1, error=invalid CA certificate:" referring to the child CA
certificate and then a "SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned" followed by connection shutdown.

Supposing the client private key is in a separate file, if I put
the certificates in the order specified by the manpage I get a key
mismatching error upon stunnel startup. If instead I put the client
certificate as first, then server do not authenticate it. Where am
I wrong?

I cannot change the server configuration, it must work as it is. I have
hundreds of them and I can update them only using the SSL connection.

Thanks for any help.


-----[ Domenico Andreoli, aka cavok
 --[ http://www.dandreoli.com/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50

More information about the stunnel-users mailing list