[stunnel-users] VerifyPeer = yes not working.

Małgorzata Olszówka Malgorzata.Olszowka at stunnel.org
Fri Feb 7 13:33:30 CET 2020

> I have uncovered a case in which VerifyPeer = yes is not working. What's 
> happening is that the locally installed
> certificate is old and expired, and does not match the current, 
> up-to-date server certificate, yet Stunnel is letting
> it pass and verifying okay.  I've pasted the certificates, config, and 
> log below, and clearly the certificates are different.

Hello Thomas,
Certificate renewal may be the issuance of a new certificate to the 
subscriber without changing the public key or any other information in 
the certificate. But if you know or suspect that the key pair has been 
compromised you can also send a certificate signing request with the 
newly generated public key.

In your case, the certificate has been renewed with the old public key.

The CA copies the public key from the CSR to the certificate, so your 
locally installed and remote certificates originate from the same public 

The verifyPeer option means that your client simply trusts the public 
key of the certificate stored in the CAfile option. The stunnel 
retrieves the subject name from the remote certificate, finds matching 
certificates in the local store and checks the extracted public key with 
its embedded copy of the public key. This idea is based on Public Key 
Pinning. In this case, the certificate subject name and the public key 
are matched, so the verification is successful.

Mike promised to improve the manual for clarity.


More information about the stunnel-users mailing list