[stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs

Tristan Schmelcher tristan_schmelcher at alumni.uwaterloo.ca
Tue Jun 1 19:22:07 CEST 2010

On Tue, Jun 1, 2010 at 12:28 AM, Magnus Therning <
magnus+stunnel at therning.org <magnus%2Bstunnel at therning.org>> wrote:

> On Mon, May 31, 2010 at 22:50, Tristan Schmelcher
> <tristan_schmelcher at alumni.uwaterloo.ca> wrote:
> [...]
> > stunnel-4.33-dns-commonname-verify-support.patch:
> >
> > I saved the best for last. ;) This adds a "verify_dns" option to check
> > the CommonName in peer certificates against their DNS name when
> > verifying, much as web browsers do.
> >
> > I have seen posts from users asking for this feature in the past, so I
> > think it's value is self-evident.
> I do like the use of a configuration option to turn on hostname
> verification.  And as you say there have been requests for this
> feature in the past, but there have also been posts of patches
> implementing it in the past (e.g.
> http://stunnel.mirt.net/pipermail/stunnel-users/2010-March/002613.html
> by me, but sans the option bit :-).

For some reason your patch didn't turn up when I was searching for this
feature before.

My thinking is that having an option for it makes a big difference.

> I do have some questions though:
> 1. If I read this patch correctly it only checks CN, is that correct?


> 2. Is there any particular reason for not including SAN in the
> verification as well?

I confess that I have never heard of anything called SAN in the context of
SSL/TLS, and I can't find anything about it online. Do you have a link?

> 3. Are the patches released under GPL?

No, I released them into the public domain since Michel requires that for
any patches that are to be incorporated into mainline stunnel.

> /M
> --
> Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
> magnus@therning.org          Jabber: magnus@therning.org
> http://therning.org/magnus         identi.ca|twitter: magthe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100601/529c0673/attachment.html>

More information about the stunnel-users mailing list