[stunnel-users] Using externally signed certificate with stunnel 4

Tim Skirvin tskirvin at stanford.edu
Mon Jul 7 19:19:39 CEST 2008

Tim Skirvin <tskirvin at stanford.edu> writes:

>         I've got a comodo signed SSL certificate that I'm trying to use
> with stunnel4 to allow secure NNTP connections from a wide variety of
> clients.  The certificate at least partially works; if I leave 'verify' 
> off in the stunnel.conf file, then the service runs and users can connect,
> albeit while still having to verify the cert.  But if I turn 'verify' on,
> then it doesn't work on *either* side.

        Well, I've gotten this to work, after dealing with a large number
of red herrings and nastiness.  In short:
        1.  Turn off all 'verify' options; that's trying to solve a
problem I'm not working with.  (Also, turn down the 'debug' to something
reasonable and turn off 'foreground'.)

        2.  Put all three certificates in news-stunnel.pem, separated by
a single blank line.

        3.  Point CAfile at an existent file, or take it out altogether.

        That's it.  Once that's done, everything works.

        I should note that throughout the help documents and man pages, I
was told that the CAfile directive was an important part of keeping track
of the certificates, and told to use it to store copies of the upstream
certs.  This was apparently not relevant.  Perhaps the documentation could
be updated to note this?

                            - Tim Skirvin (tskirvin at stanford.edu)
   Information Technology Services      http://www.stanford.edu/~tskirvin/
System Software Developer, Unix Team           Stanford University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080707/dd83d8c2/attachment.sig>

More information about the stunnel-users mailing list