[stunnel-users] Confusion regarding part of stunnel.conf

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Thu Feb 10 18:29:08 CET 2011

On Thu, 2011-02-10 10:28:42 -0600, Dave wrote:
> [..]
> If I set the verify level to 3 and try to start stunnel, it won't
> start and says:
> "Either CApath or CAfile has to be used for authentication"
> If I have a self-signed cert, what needs to be in this file for things to
> work?  I guess perhaps I am unsure how to locally install my cert?  I thought
> it was already, as it's defined elsewhere in the config (cert = ....)?


 o cert= defines the certificate (and public key) to be presented to
   the other end of the tunnel.

 o key= defines the private key to be used for decryption (and thus
   has to match the public key given in cert=)

 o CApath= and CAfile= define the location of certificates of CAs
   and/or valid peers.

That is, the location of _your_ keys and certificate is given by cert=
and key=. The location of the _CA_ certificate (verify level=2) or the
certificates of the _peers_ (verify level=3) is given by CApath= or

You install a certificate of a valid peer by copying it to the
directory given by CApath= and run c_rehash on this directory, or by
appending it to the file given by CAfile=.




Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list