Thank you for your help. Well, I got that PSK is the best option and I fully agree with you, but I like learning and understanding.
Setting aside the PSK option for now (removing it from the config file), I used to be able to use the VerifyPeer parameter with the PEM generated by Stunnel ( "Build a Self-signed stunnel.pem"). Just that I understand, is it still possible to do it or do I need a robust / real certificate signed by a CA? I am by no means knowledgeable in certificates, so I would like to understand where the "CERT: Pre-verification error: unsupported certificate purpose" comes from and how I could solve that problem, could a self signed or a letsencrypt one do and what do I need to change to make the verifyPeer working? Thanks. On Tue, Oct 13, 2020 at 3:03 PM Małgorzata Olszówka < [email protected]> wrote: > W dniu 12.10.2020 o 14:29, Bob Bob pisze: > > Hi, > > > > I just updated to version 5.57 and the config I used for ever does not > > work anymore. > > I regenerated the self certs using the "Build a Self-signed stunnel.pem" > > in Windows and made sure the CN was matching the hostname > > of the server machine. > > > > I understand there is an issue with the self signed certificate... > > ...but it was working fine under 5.56. > > > > Server configuration > > [Server_SyncThing] > > cert = stunnel.pem > > accept = 999 > > connect = 127.0.0.1:24596 > > ciphers = PSK > > PSKsecrets = psk.txt > > > > Client configuration > > [SyncThing] > > client = yes > > accept = 127.0.0.1:24596 > > connect = 192.168.0.102:999 > > verifyPeer = yes > > CAfile = stunnel.pem > > PSKsecrets = psk.txt > > > > Hi Bob, > The easiest way to configure authentication is with PSK (Pre-Shared > Key). It provides both client and server authentication. PSK is also the > fastest TLS authentication. > > But use of the PSKsecrets option in combination with the verifyPeer > option in your configuration file doesn't work. > Ether the PSK secret or the peer certificate is used for authentication. > > You just need to disable the verifyPeer option. Certificate is also not > required. > > Best regards, > Małgorzata Olszówka > _______________________________________________ > stunnel-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
