[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
Michal.Trojnara at mirt.net
Thu Nov 3 22:45:27 CET 2011
al_9x at yahoo.com wrote:
> 1. Are the certificates restricted to the host(s) specified in them
> (CN, alt name)? Or will they validate any site that happens to
> return them?
Hostname checks against distinguished name and alternative name fields
are not supported by stunnel. They would would not be really useful,
as "connect" targets are statically defined in stunnel.conf. It's
easier and more secure to assign separate CAfile to each service
section of stunnel.conf (see an example below).
> 2. I think some host restriction makes sense, but rather than use
> what's inside the cert, it would be good to allow the user to
> specify the host name(s) which a given cert should be restricted to.
client = yes
verify = 3 (or 4)
accept = port1
connect = target1
CAfile = target1.pem
accept = port2
connect = target2
CAfile = target2.pem
> 3. The certificates are only used for server verification, they
> would never be treated as CA, right?
Yes, OpenSSL checks certificate purpose specified in X.509 v3
See openssl-1.0.0e/crypto/x509v3/v3_purp.c file for the implementation.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part
More information about the stunnel-users