[stunnel-users] Authenticate both client and server?

Carter Browne cbrowne at cbcs-usa.com
Mon Nov 23 14:32:39 CET 2009

I verify both server and client using both self-signed and
non-self-signed certificates.  If the certificates are not all
self-signed, verify should be set to 2 and not 3.  Verify=2 will follow
the certificate chain whereas verify=3 will not.  As a I have a mixture
of Windows and Linux computers, I find it much easier to use the
hashcode as the file name. 


Carter Browne
cbrowne at cbcs-usa.com

Kārlis Repsons wrote:
> On Monday 23 November 2009 09:34:22 Ludolf Holzheid wrote:
>>>>     cert = pemfile
>>>>         certificate chain PEM file name
>>>>         A PEM is always needed in server mode.  Specifying this
>>>>         flag in client mode will use this certificate chain as a
>>>>         client side certificate chain.  Using client side certs is
>>>>         optional.  The certificates must be in PEM format and must
>>>>         be sorted starting with the certificate to the highest
>>>>         level (root CA).
>> I think this says, the file given in the 'cert=' line in stunnel.conf
>> must include the whole certificate chain.
>>> I also tried with adding root-ca.pem to the bottom of server and
>>> client .pem, but the same bum. Do you have any idea at this point?
>> The man page says this has to be the other way 'round (starting with
>> CA).
> Well, the result on my side is as follows...
> "must be sorted starting with the certificate to the highest level (root CA).":
> I would like to assert the intended meaning of this. To me it means "from the 
> assigned certificate down to root ca"! My English bug? How was that meant 
> really?
> Suppose Ludolf's right about "from root-ca to the assigned cert.": c_rehash 
> gives equal hashes for all @[root-ca.pem, server.descend.pem, 
> client.descend.pem]...
> On the other hand, when tried from assigned down to root, the self signed 
> root-ca is tried to verify and it fails, saying "VERIFY ERROR: depth=1, 
> error=self signed certificate in certificate chain" and "certificate verify
> failed".
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users

More information about the stunnel-users mailing list