[stunnel-users] The verify=3 option in client mode

Philipp Hartwig philipp.hartwig at uni-due.de
Wed Jan 12 10:12:08 CET 2011


I'm using stunnel in client mode to provide an SSL connection for 
offlineimap[1] which does not support verification of SSL certificates.

As I've read stunnel does not compare the name of the server offering 
the certificate to the server name mentioned in the certificate (in the 
CN field for example). So if I used the following section in my 


  accept  =
  connect = imap.gmail.com:993
  CAfile = /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt
  verify = 2

stunnel would happily accept any certificate signed by Equifax for an 
arbitrary website. Is this correct?

So I've switched to using the verify=3 option and I just want to make 
sure I configured it correctly.

I'm now using the following section


  accept  =
  connect = imap.gmail.com:993
  CAfile= /home/ph/.certs/imaps.pem
  verify = 3

imaps.pem is a file containing two certificates, namely the first 
and the last certificate in the certificate chain of imap.gmail.com, 
that is the Equifax CA certificate and the server certificate itself.

I then use offlineimap to establish an unencrypted connection to

My understanding is that stunnel will now exclusively accept the server 
certificate stored in the imaps.pem file rendering all MITM attacks 

I'd be grateful if someone could confirm that this setup makes sense. Is 
this the way the verify=3 option is supposed to use? First I thought 
that it should be enough to just provide the server certificate in the 
imaps.pem file, but then openssl would complain about a self-signed 
certificate, so I included the CA certificate as well.


[1] https://github.com/jgoerzen/offlineimap/wiki/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4611 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110112/311083bf/attachment.bin>

More information about the stunnel-users mailing list