[stunnel-users] Weird verify behaviour using intermediate CAs
sjv at genoscope.cns.fr
Mon Oct 5 11:45:32 CEST 2009
On Sun, 04 Oct 2009 07:23:15 +0200
delaage.pierre at free.fr wrote:
> You are right that my suggestions only work with verify = 3.
> But with verify=2, you should try this :
> CApath empty
> CAfile containing a concatenation of the ONLY intermediate CA certs you really
OK, here are the results:
- CAfile containing only the intermediate CA cert I want to trust:
LOG4[32456:3086175120]: VERIFY ERROR: depth=1, error=unable to get
issuer certificate: [...]
LOG7[32456:3086175120]: SSL alert (write): fatal: unknown CA
which seems reasonable.
- CAfile containing the intermediate CA I want to trust and the Root CA:
LOG6[32464:3086822288]: SSL accepted: new session negotiated
this works, and trying to authenticate with a certificate issued by
another sub CA does not work (good news ;-)
Actually, it also works when using CApath -- the issue I encountered
apparently only occurs if you add, then remove a CA certificate from
the CApath: if I added a subCA certificate and the corresponding link
to the path, test the connection, and then removed them, I could still
authenticate, which I found weird, since the setup is in inetd-mode (so
stunnel would be started from scratch at each connection).
I can't reliably reproduce the issue today -- maybe some kind
of race-condition ?
Anyway, I can separate users based on their issuing CA now, so I guess
everything is fine.
More information about the stunnel-users