[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Michal Trojnara Michal.Trojnara at mirt.net
Thu Nov 3 22:45:27 CET 2011


al_9x at yahoo.com wrote:
> 1. Are the certificates restricted to the host(s) specified in them  
> (CN, alt name)?  Or will they validate any site that happens to  
> return them?

Hostname checks against distinguished name and alternative name fields  
are not supported by stunnel.  They would would not be really useful,  
as "connect" targets are statically defined in stunnel.conf.  It's  
easier and more secure to assign separate CAfile to each service  
section of stunnel.conf (see an example below).

> 2. I think some host restriction makes sense, but rather than use  
> what's inside the cert, it would be good to allow the user to  
> specify the host name(s) which a given cert should be restricted to.

client = yes
verify = 3 (or 4)

[section1]
accept = port1
connect = target1
CAfile = target1.pem

[section2]
accept = port2
connect = target2
CAfile = target2.pem

> 3. The certificates are only used for server verification, they  
> would never be treated as CA, right?

Yes, OpenSSL checks certificate purpose specified in X.509 v3  
basicConstraints.

See openssl-1.0.0e/crypto/x509v3/v3_purp.c file for the implementation.

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20111103/0371f0c3/attachment.sig>


More information about the stunnel-users mailing list