[stunnel-users] How to install CA at client side?

Josealf.rm josealf at rocketmail.com
Tue Sep 15 13:15:05 CEST 2015

Are you sure the bundle has the entire certificate chain for the CA?

I usually use the CApath parameter. It requires each certificate in it's own file with the hashed name as explained in the howto.


> El 15/9/2015, a las 2:32, MingHeng Wang <ifoolb at gmail.com> escribió:
> Hello Stunnel maintainers,
> I try to use real certificates of my web server for stunnel. I combine private key, my site's cert, and ca-bundle into a pem file, and it works fine when the client doesn't verify any certificate. Then I specify CAfile which is the ca bundle file from my registrar, at client side and turn on verification and always get errors below, whatever level 2 or 3:
> Sep 15 14:53:28 y400 stunnel[11666]: LOG5[11]: Service [http-proxy3] connected remote server from
> Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: CERT: Pre-verification error: unable to get issuer certificate
> Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: Rejected by CERT at depth=2:
> However, level 4 works. I want to prevent man-in-middle-attack, so can level 4 achieve that regarding to my current setup?
> Both server and client side use stunnel 5.17 which are fairly recent.
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150915/71f26f08/attachment.html>

More information about the stunnel-users mailing list