[stunnel-users] Confusion regarding part of stunnel.conf

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Thu Feb 10 09:37:21 CET 2011

On Wed, 2011-02-09 18:13:30 -0600, Dave wrote:
> [..]
> 1) What are the necessary settings for "authentication stuff" to prevent  
> the MITM attack vector mentioned in stunnel.conf?

As far as I understood the whole thing, you need level two or three to
force the peer to use a certificate at all.

> 2) What is the proper way to set up (self-signed) certs to prevent such  
> an attack?  Can a self-signed cert be used at a verify level of 2 or 3?

Self-signed certificates can't be checked against a certificate
authority (and can't be revoked). For self-signed certificates to be
handled sensibly, you need level three.

BTW, level three is not 'higher' than level two, just 'different':
Level two checks the certificate against a CA, while level three
checks it for being locally installed.




Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list