[stunnel-users] Client SSL certificate

Michal Trojnara Michal.Trojnara at mirt.net
Fri Jun 13 09:37:36 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

reg14 at rambler.ru wrote:
>> stunnel does not validate common names at all, as, unlike web 
>> browsers, it does not allow for dynamic selection of servers.
> If I understand the man page properly, in transparent mode stunnel 
> should connect to any server that a non-SSL aware client is going
> to.

You understand the man page properly, although in transparent
destination mode it would not be possible for stunnel to verify the
common name against DNS name of the server.  Why?  Because stunnel
does not know the target server's DNS name, only its IP address.  Only
the original client knows the server name that resolved to this IP
address.

Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlOaqkAACgkQ/NU+nXTHMtFB6gCg8TFgyzDk4hkOYFscfF9KRBN/
hesAn0tG3hv1zsRX1Avqtpk69nCc9elQ
=qSPH
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list