[stunnel-users] stunnel sends empty list of trusted CAs

Sebastian Bork sebi at sebi.org
Thu Apr 1 12:48:12 CEST 2010

2010/3/31 Michal Trojnara <Michal.Trojnara at mirt.net>

> You should have implemented it the other way around:

The "cert" option should contain the complete certificate chain of stunnel,
> and

"CApath"/"CAfile" should only contain the trusted CA certificate for "verify
> =

2", and the trusted peer certificate for "verify = 3".


thank you for your quick reply! Alas, I think we started with a
misunderstanding. I know how the own certificate and the partner
certificates are configured, and the instance with verify=3 works for some
thirty partners. All client certificates are validated just as they should
be. The file I set in "cert" contains the three certificates in the server
certificate chain for stunnel, in the correct order. "CApath" is set to a
directory that has all the symlinks with md5 hashes for the client
certificates (the certificates themselves are all in their own
subdirectories, with another set of symlinks, so I can use the subdirectory
for an stunnel client process, and the directory at the top for the server).

So when I wrote I put the whole certificate chain for each partner in the CA
path, I meant in the directory there is the partner certificate as well as
the certificate(s) of the CA that they got their certificate from. With
"openssl verify -CApath . partner.crt" I check if everything is complete.
Maybe this is overkill, if I do not really need a self-signed certificate at
the top, but it shouldn't hurt either.

The problem is this: their SAP software (I think they use the Business
Connector, but it might be their PI directly, as indicated by the "XI" at
the end of the capture file - I am no SAP guru) does not send a partner
certificate. The partner claims this is because the "Distinguished Names"
list is empty. In this list the server is supposed to send all the CAs it
accepts, so the client can then chose one of the certificates it has
installed to present it to the server. Since the list is empty, no
certificate is found.

So I need to find a way to send back a list of accepted root CA
certificates. What I tried, and described in the mail, was this: I set up a
second stunnel with verify=2. For this, I use the same file in "cert", but a
new directory for CApath. In this directory, I have put the symlink for the
CA certificate of the partner (their own company-wide CA) , in the hope that
this is not only used to verify their client certificate when they present
it, but also sent in the Distinguished Names list of accepted CAs.
Unfortunately, this did not work, that list is still empty.

I have attached the data of the connection attempt, including a screenshot
the partner sent us, which shows the field they are talking about with a
size of "0",

Is there any way, regardless of how complex, to send the DNs? I'll gladly
patch the source and compile instead of using a binary package, as long as
it helps.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100401/beec8f10/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20100331_xi.cap
Type: application/octet-stream
Size: 2575 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100401/beec8f10/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot.doc
Type: application/msword
Size: 93184 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100401/beec8f10/attachment.doc>

More information about the stunnel-users mailing list