Ideally what I'd love to do is enable developers to be able to connect their remote apps to the database proxy *without* the client-side handshake, but I was honestly not aware it was possible. So the ideal would be:
Remote app connects directly via mysql driver to stunnel on port 3307 encrypted with TLS stunnel forward the connection to the proxy on 3306 If that is possible without maintaining a connection stunnel to stunnel that would be beyond awesome, I'm just totally failing to see how to accomplish it! One thing I did find though is the root cert for geotrust so I'm running tests now to see if that helps or at least generates new info. Based on your feedback I'm testing the following: cert = /etc/stunnel/stunnel.pem cafile = /etc/stunnel/GeoTrust_Global_CA.pem verify = 3 On Mon, Mar 28, 2016 at 10:58 AM, Michał Trojnara <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 28.03.2016 16:27, Jon Bogaty wrote: >> The issue is when I setup everything on the server and try to >> connect with a client I either get for "verify 2" warnings about >> MiTM authentication problems, or for "verify 3" or "verify 4", >> which should disable CA checking altogether to my understanding, >> "Please specify CApath". > > Verify levels 3 and 4 do *not* disable certificate verification. > Verify level 3 requires the peer certificate in your CAfile. > Verify level 4 *only* requires the peer certificate. > > Are you sure you want to enable peer certificate (i.e. client > certificate) verification in your SSL server configuration? > > Best regards, > Mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJW+UZ4AAoJEC78f/DUFuAUQmIP/ijSfVmM/E3cgg3td/O9woOz > fxsmqVhQeFh44uD8TbNj/YMhH4LgtVuunE2wtzXx63ja2GJXE2CJR66kc+aIj16U > TjQOCRWdI2zsC4rDuO3v/xsAAuFp1ztwhMX7xNQ0uUwVuJ6emqCqSLwM4FiViMu7 > 2gcC0em8mNfb4BemY6VwqYlITkHMOzhQZiZkP909EVbCo3yYlDN3e1CbvHbqM0Wm > t1qpB1KAixG8ThKGO40lXT/yFmWgOO7dFOqyNEV4JCdFSOSEDvUEtfvrR4yvLItk > f7nGWNfDoT1qgdHZdMG2MqexO72MvPcwOxrgFWn4bOz0fqsVzWLqH8gffy+w/L9p > mwS5p1WIMkHj9x+Fw1UUI+e6gJ8vgMYtMLJEdJu3yP3i13UY5tIRzCYANfv1vjHf > mK1afiNKyM0hM27drA1y8VJKBSjF6kJmnIAF5bh+tgVQjukr2yevxDYWb1GKg6wI > nqHvJv4moIGmySqA2Mqv32GDZn2GZCt5FK8AM6L+T6HKM143dKL9uBO9AdLi7Bmw > YfLlIvI3kgpKUCdwQ9RIirUwtThuVEqJYsl2jykseKBwuWu59vSY/np9crECWv6Z > b2For6WG5yqU7orPPJS8PV0JqLI4HRaTN1mquuQLFCrCttRvp8CIdpF40VXG7gdz > /ru7iPZfYYWG5qyvHys9 > =1DFq > -----END PGP SIGNATURE----- > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
