[stunnel-users] Verify=2 and Verification Depth...

• Previous message (by thread): [stunnel-users] Problem with round robin on stunnel 5.0 and 5.1
• Next message (by thread): [stunnel-users] Verify=2 and Verification Depth...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It was my understanding that when you have an Stunnel Server configured
with 'verify=2', that the client that connects must have a certificate
signed by the same CA/SubCA combination that the server does. So for
example:

  - My_Root_Ca (private CA)
    - Some_Random_Cert.pem
    - Stunnel_Sub_Ca:
      - Server.pem
      - Client.pem
    - Postgres_Sub_Ca:
      - Server.pem
      - postgres_user.pem

With the above structure in place (and the stunnel server using
Stunnel_Sub_Ca/Server.pem) if someone tried to connect in with the
Stunnel_Sub_Ca/Client.pem cert, it would work... but if they tried to
connect in with Postgres_Sub_Ca/Server.pem, it wouldn't.

Unfortunately we're not seeing that behavior... we're seeing a behavior
where *every* cert signed by the overall Root CA is validated. We're able
to connect in using Some_Random_Cert.pem, Postgres_Sub_Ca/Server.pem and
Postgres_Sub_Ca/postgres_user.pem.

This feels wrong ... what am I missing?

(We're using Stunnel 4.55 btw)

Matt Wise
Sr. Systems Architect
Nextdoor.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140411/d7a6a74a/attachment.html>

• Previous message (by thread): [stunnel-users] Problem with round robin on stunnel 5.0 and 5.1
• Next message (by thread): [stunnel-users] Verify=2 and Verification Depth...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]