[stunnel-users] Stunnel and configuration

Hi all,

I have configured stunnel to do the client authetication, but I have
some question.

I have used following config:

cert = /etc/certificates/server.pem - file with signed
server cert and key
(passwordless)

chroot = /var/run/stunnel/

CAfile = /etc/certificates/certs -file where first item is my
CA certificate followed by list of
all client certificates sgined by my CA.

setuid = nobody
setgid = nogroup
pid = /stunnel.pid
verify = 3

This setup is working, but this seems to me very "unlogical".
If I create for me "more logic" setup:

cert = /etc/certificates/server.pem
chroot = /var/run/stunnel/
CAfile = /etc/certificates/CA/cacert.pem - only certificate of my CA
CRLfile = /etc/certificates/crls - only certificates signed by my CA

I get the following error:
2005.02.22 15:15:10 LOG5[22418:81926]: VERIFY OK: depth=1, /C= .....
2005.02.22 15:15:10 LOG4[22418:81926]: VERIFY ERROR ONLY MY: no cert for /C=


The question is ... why? Why CAfile has to contain all client
certificates, when clients certs are not CA? Why I cannot have separate
file for CA and separate file for certificates that I want accept? If I
do the similar setup in mod_ssl, the configuration works as expected.

Anyway, I'am newbie to deploy stunnel, thus I would like to ask you for
giving me you opinion of this configuration, caveats and possible
enhancements.

Thanks for any comments,
Bohdan Linda
_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users