[stunnel-users] VerifyPeer = yes not working.
Malgorzata.Olszowka at stunnel.org
Fri Feb 7 13:33:30 CET 2020
> I have uncovered a case in which VerifyPeer = yes is not working. What's
> happening is that the locally installed
> certificate is old and expired, and does not match the current,
> up-to-date server certificate, yet Stunnel is letting
> it pass and verifying okay. I've pasted the certificates, config, and
> log below, and clearly the certificates are different.
Certificate renewal may be the issuance of a new certificate to the
subscriber without changing the public key or any other information in
the certificate. But if you know or suspect that the key pair has been
compromised you can also send a certificate signing request with the
newly generated public key.
In your case, the certificate has been renewed with the old public key.
The CA copies the public key from the CSR to the certificate, so your
locally installed and remote certificates originate from the same public
The verifyPeer option means that your client simply trusts the public
key of the certificate stored in the CAfile option. The stunnel
retrieves the subject name from the remote certificate, finds matching
certificates in the local store and checks the extracted public key with
its embedded copy of the public key. This idea is based on Public Key
Pinning. In this case, the certificate subject name and the public key
are matched, so the verification is successful.
Mike promised to improve the manual for clarity.
More information about the stunnel-users