On Wed, Jan 14, 2015 at 09:54:38PM +0000, Viktor Dukhovni wrote:
> Then with "verify = 3", stunnel will
> verify the peer (until some part of the DN changes).
In this case the subject DN does not appear to be decorated with
any particularly volatile data. The server's chain is:
subject=/C=GB/ST=Hampshire/L=Hook/O=Virgin Media Ltd/OU=internet
operations/CN=smtp.ntlworld.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
issuer=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
So a CAfile that includes the root CA cert for:
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
and any cert with a subject name of:
/C=GB/ST=Hampshire/L=Hook/O=Virgin Media Ltd/OU=internet
operations/CN=smtp.ntlworld.com
should do (stunnel just checks for a cert in the CAfile that matches
the peer's subject DN). For the latter, the following command
will, generate a suitable certificate (with a discarded private key):
openssl req -new -nodes -newkey rsa:2048 -keyout /dev/null \
-config <(printf "[req]\n%s\n%s\n[dn]\n" "prompt = yes"
"distinguished_name = dn") \
-x509 -days $((365 * 100)) -subj "/C=GB/ST=Hampshire/L=Hook/O=Virgin
Media Ltd/OU=internet operations/CN=smtp.ntlworld.com"
The above requires "bash", for <(command) in-line file-handles.
Your could use the below instead if you like:
--
Viktor.
