[stunnel-users] Common Name checking

Mark Bolton mbolton at boltz.co.uk
Tue Jul 14 13:21:26 CEST 2009

I believe this has been discussed before on the list but I wanted to  
get a better understanding and confirm the current situation.

Is it still correct that when using verify=2, the peer's hostname is  
not checked (via a name service lookup) to match the Common Name in  
the presented certificate? With the main reason being that you cannot  
necessarily trust the name service?

I am asking because we have a closed network in which we do trust our  
dns servers, and Common Name checking would be advantageous to us  
given the following scenario:

We have is that a single (central) host that connects to multiple  
'client' hosts via stunnel. The central host presents a certificate  
signed by our own CA. Each client has a copy of our CA's certificate  
and has verify=2. So when the central server connects, the client  
checks that the certificate presented has really been signed by our  
own CA. So using this mechanism, only servers (i.e. the central  
server) with a signed certificate are allowed to connect.

All good so far, however the problem is if the signed certificate is  
copied (stolen) to another server. This 'other' server can connect to  
all the clients also. With Common Name checking, the clients could as  
well as checking the signature, check the presenting host has the same  
hostname as in the certificate.

Is there anyway we can use stunnel to help us guard against this  
'stolen cert' situation or if not what else could we do?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20090714/2a702de5/attachment.html>

More information about the stunnel-users mailing list