Hi David, On 8/26/22 13:51, [email protected] wrote: > If I hash the client certificates and put them in a folder (with file names > <hash>.0), and use the CAPath parameter on the server, together with > verify=3, the server's Certificate Request message contains an empty list of > "Distinguished Names". > However, if I put the client certificates concatenated in a .pem file, and > use the CAFile parameter on the server, the Certificate Request message does > contain the Distinguished Names. > > Is this the correct behavior? I thought CAFile and CAPath worked more or less > in the same way, but perhaps the Certificate Request message is implemented > differently, depending on if you use CAFile or CAPath? > My preferred way is to use CAPath: Is there some way I can get the > Distinguished Names not to be empty, when using CAPath?
TL;DR: Yes, this is the correct behavior. Also, you probably misuse X.509 by adding and removing individual client certificates instead of using its hierarchical trust model: https://en.wikipedia.org/wiki/X.509 The main difference between CAfile and CApath is that CAfile reads all the certificates with the stunnel's configuration file, while CApath only reads a certificate during certification path validation. https://en.wikipedia.org/wiki/Certification_path_validation_algorithm Using CApath saves startup time and memory usage with large number of trusted certificates, but it does not allow for building a list of trusted Distinguished Names. Consequently, there is no way for stunnel to use CApath with automatic client certificate selection. https://textslashplain.com/2020/05/04/client-certificate-authentication/ The proper way to configure automatic client certificate selection is to provide the CA certificate used for signing your client certificates with CAfile and the list of revoked certificates with CRLfile. Best regards, Mike
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
