[stunnel-users] Need some informations about stunnel (AC, crl files)

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Wed Apr 27 11:37:47 CEST 2011

On Wed, 2011-04-27 10:47:42 +0200, laurent.uk at bnpparibas.com wrote:
> Hi all,
> I need some informations about stunnel. 
> First, when the client's software use a certificate signed by a CA like 
> veriSign. Did we need to  add the certificates of this CA? or it is not 
> neccessary because it is a knowned CA.

If you are using verify=3, stunnel checks client certificates against
the set of certificates in CApath or CAfile, not against CAs and CRLs.

In order to have stunnel check the certificate chain of client
certificates, you'll have to use verify=2. For that, stunnel needs
access to the CA's root certificate and the intermediate certificates
(i.e. they have to be locally installed to CApath/CAfile).

> Secondally, i need to download and update the crl files, and also (if it's 
> possible) the certificates of knowed CA. How can i do that in my AIX's 
> machine please?

This depends on the way the CA publishes its certificates and CRLs.
For VeriSign, my first idea is to use wget to download them from
http://crl.verisign.com. There may be better ways, though. And I don't
know AIX.



Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list