[stunnel-users] Authenticate both client and server?

Kārlis Repsons repsons at gmail.com
Mon Nov 23 12:16:08 CET 2009

On Monday 23 November 2009 09:34:22 Ludolf Holzheid wrote:
> >>     cert = pemfile
> >>         certificate chain PEM file name
> >> 
> >>         A PEM is always needed in server mode.  Specifying this
> >>         flag in client mode will use this certificate chain as a
> >>         client side certificate chain.  Using client side certs is
> >>         optional.  The certificates must be in PEM format and must
> >>         be sorted starting with the certificate to the highest
> >>         level (root CA).
> I think this says, the file given in the 'cert=' line in stunnel.conf
> must include the whole certificate chain.
> > I also tried with adding root-ca.pem to the bottom of server and
> > client .pem, but the same bum. Do you have any idea at this point?
> The man page says this has to be the other way 'round (starting with
> CA).

Well, the result on my side is as follows...

"must be sorted starting with the certificate to the highest level (root CA).":

I would like to assert the intended meaning of this. To me it means "from the 
assigned certificate down to root ca"! My English bug? How was that meant 
Suppose Ludolf's right about "from root-ca to the assigned cert.": c_rehash 
gives equal hashes for all @[root-ca.pem, server.descend.pem, 

On the other hand, when tried from assigned down to root, the self signed 
root-ca is tried to verify and it fails, saying "VERIFY ERROR: depth=1, 
error=self signed certificate in certificate chain" and "certificate verify

More information about the stunnel-users mailing list