[stunnel-users] Using stunnel for TLS with Geotrust cert?

Jon Bogaty jbogaty at classpass.com
Mon Mar 28 16:27:19 CEST 2016

Hey stunnel-users,
I'm having an issue both on stunnel4 and on 5 which I think is more
related to a lack of understanding of the difference between how
stunnel uses intermediate chain certs and root CA certs. I have from
Geotrust, who signs my SSL certs, an intermediate.crt which by the
stunnel docs should be catted into one stunnel.pem with the cert for
my domain and the private key.

The issue is when I setup everything on the server and try to connect
with a client I either get for "verify 2" warnings about MiTM
authentication problems, or for "verify 3" or "verify 4", which should
disable CA checking altogether to my understanding, "Please specify

I feel like I'm missing something critical in terms of pieces.  The
goal is to use stunnel as a proxy for mysql and the conf is pretty

sslVersion = TLSv1

setuid = stunnel4
setgid = stunnel4
pid = /var/lib/stunnel4/stunnel4.pid
debug = 7
foreground = yes

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

cert = /etc/stunnel/stunnel.pem
verify = 3

accept  = 3307
connect = localhost:3306

It runs just fine using supervisor.

Any thoughts and how I could make the handshake work between server
and client using geotrust's intermediate crt as the CA cert, or
something similar? It contains certs down to the root level.


More information about the stunnel-users mailing list