[stunnel-users] Using stunnel for TLS with Geotrust cert?

Jon Bogaty jbogaty at classpass.com
Mon Mar 28 17:04:41 CEST 2016


Ideally what I'd love to do is enable developers to be able to connect
their remote apps to the database proxy *without* the client-side
handshake, but I was honestly not aware it was possible. So the ideal
would be:

Remote app connects directly via mysql driver to stunnel on port 3307
encrypted with TLS
stunnel forward the connection to the proxy on 3306

If that is possible without maintaining a connection stunnel to
stunnel that would be beyond awesome, I'm just totally failing to see
how to accomplish it!

One thing I did find though is the root cert for geotrust so I'm
running tests now to see if that helps or at least generates new info.
Based on your feedback I'm testing the following:
cert = /etc/stunnel/stunnel.pem
cafile = /etc/stunnel/GeoTrust_Global_CA.pem

verify = 3

On Mon, Mar 28, 2016 at 10:58 AM, MichaƂ Trojnara
<Michal.Trojnara at stunnel.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 28.03.2016 16:27, Jon Bogaty wrote:
>> The issue is when I setup everything on the server and try to
>> connect with a client I either get for "verify 2" warnings about
>> MiTM authentication problems, or for "verify 3" or "verify 4",
>> which should disable CA checking altogether to my understanding,
>> "Please specify CApath".
>
> Verify levels 3 and 4 do *not* disable certificate verification.
> Verify level 3 requires the peer certificate in your CAfile.
> Verify level 4 *only* requires the peer certificate.
>
> Are you sure you want to enable peer certificate (i.e. client
> certificate) verification in your SSL server configuration?
>
> Best regards,
>         Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJW+UZ4AAoJEC78f/DUFuAUQmIP/ijSfVmM/E3cgg3td/O9woOz
> fxsmqVhQeFh44uD8TbNj/YMhH4LgtVuunE2wtzXx63ja2GJXE2CJR66kc+aIj16U
> TjQOCRWdI2zsC4rDuO3v/xsAAuFp1ztwhMX7xNQ0uUwVuJ6emqCqSLwM4FiViMu7
> 2gcC0em8mNfb4BemY6VwqYlITkHMOzhQZiZkP909EVbCo3yYlDN3e1CbvHbqM0Wm
> t1qpB1KAixG8ThKGO40lXT/yFmWgOO7dFOqyNEV4JCdFSOSEDvUEtfvrR4yvLItk
> f7nGWNfDoT1qgdHZdMG2MqexO72MvPcwOxrgFWn4bOz0fqsVzWLqH8gffy+w/L9p
> mwS5p1WIMkHj9x+Fw1UUI+e6gJ8vgMYtMLJEdJu3yP3i13UY5tIRzCYANfv1vjHf
> mK1afiNKyM0hM27drA1y8VJKBSjF6kJmnIAF5bh+tgVQjukr2yevxDYWb1GKg6wI
> nqHvJv4moIGmySqA2Mqv32GDZn2GZCt5FK8AM6L+T6HKM143dKL9uBO9AdLi7Bmw
> YfLlIvI3kgpKUCdwQ9RIirUwtThuVEqJYsl2jykseKBwuWu59vSY/np9crECWv6Z
> b2For6WG5yqU7orPPJS8PV0JqLI4HRaTN1mquuQLFCrCttRvp8CIdpF40VXG7gdz
> /ru7iPZfYYWG5qyvHys9
> =1DFq
> -----END PGP SIGNATURE-----
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


More information about the stunnel-users mailing list