[stunnel-users] stunnel sends empty list of trusted CAs

Sebastian Bork sebi at sebi.org
Tue Mar 30 23:15:13 CEST 2010


I have a problem which Google did not help me with. A communications partner
of one of our customers wants to connect their SAP Business Connector to our
platform using HTTPS. Our software does not have SSL/TLS implemented, we
rather use stunnel for all communications links, inbound or outbound, where
the customer or partner wants to use HTTPS with client authentication.

The normal setup is "verify = 3" and the complete certificate chain for each
partner is put into the CA path. In most cases, this works without problems.
However, in the handshake, after the server certificate is sent and stunnel
asks the client to send a client certificate, stunnel sends an empty list of
triusted CAs. SAP BC expects the list of supported CAs to contain
certificates, instead of being empty. My hope was that using "verify = 2"
might help, so I have configured a new server instance of stunnel, and have
copied the certificate of the partner's own CA into the CA path.

Unfortunately, the partner says it still does not work, and the log file
shows they still do not send their certificate when the server asks for a
client cert. It seems that stunnel still returns an empty list of trusted
CAs, which causes SAP BC to find no certificate to send.

Is there any way I can configure stunnel to send back either every
certificate found in a path or file, or at least to send back some fixed
value for the trusted CAs?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100330/cd1c984b/attachment.html>

More information about the stunnel-users mailing list