[stunnel-users] Weird verify behaviour using intermediate CAs

Simon Vallet sjv at genoscope.cns.fr
Wed Sep 30 15:01:31 CEST 2009


we're trying to make use of stunnel here for proxy purposes : any
certificate-authenticated SSL client connection from the Internet would
be forwarded to some internal server.

This works fine, but I found some surprising behaviour when verifying
client certificates. Consider the following setup, using an
intermediate client CA :

* RootCA
** UserCA1
*** UserCert1

** UserCA2
*** UserCert2

To make this work, it seems I only have to include the Root CA
certificate in either a CAfile or a directory of trusted certificates.
I would have expected to have to include the intermediate CA (which is
signing the user certificate), but it seems it is not the case.

What worries me is that now *any* end-entity certificate which has been
issued by *other* intermediate CAs is accepted as valid, i.e. UserCert2
is accepted as valid, even if I don't include UserCA2 anywhere in
the configuration.

Is this really the intended behaviour ? If not, what would I be
missing ?


stunnel.conf -----------------------------------------------------------

connect =
CApath = /etc/stunnel/certs
cert = /etc/stunnel/apollon.genoscope.cns.fr-RevChain.pem
key = /etc/stunnel/apollon.genoscope.cns.fr-Key.pem
verify = 2
debug = 7


[root at apollon certs]# ls -l /etc/stunnel/certs/
total 4
lrwxrwxrwx 1 root root   28 sep 30 11:01 9a5490ff.0 -> GenoscopeACRacine.cacert.pem
-rw-r--r-- 1 root root 2269 sep 15 11:47 GenoscopeACRacine.cacert.pem
[root at apollon certs]#

More information about the stunnel-users mailing list