I reread the doc carefully. https://www.stunnel.org/auth.html
Certificates A trivial configuration example: [certificate-based server] accept = <server_port> connect = <dst_port> cert = cert.pem Alternatively, a technique known as certificate pinning can be used. The following configuration requires stunnel version 4.46 or higher: [pinning client] client = yes accept = 127.0.0.1:<src_port> connect = <server_host>:<server_port> verifyPeer = yes CAfile = peer-certificate.pem The peer-certificate.pem file needs to contain the server certificate. I am using the same certificate which is called stunnel.pem and is generated using the "Build a Self-signed stunnel.pem" on the server. Since "nsCertType = server" in openssl.cnf, it is a server type certificate. That file is copied on both the client and the server and the " verifyPeer = yes" option is set on the client side and I am still getting the same error message : ERT: Pre-verification error: unsupported certificate purpose. What am I doing wrong? On Wed, Oct 14, 2020 at 11:57 AM Bob Bob <[email protected]> wrote: > Thank you for your help. > > Well, I got that PSK is the best option and I fully agree with you, but I > like learning and understanding. > > Setting aside the PSK option for now (removing it from the config file), I > used to be able to use the VerifyPeer parameter with the PEM generated by > Stunnel ( "Build a Self-signed stunnel.pem"). > Just that I understand, is it still possible to do it or do I need a > robust / real certificate signed by a CA? > > I am by no means knowledgeable in certificates, so I would like to > understand where the "CERT: Pre-verification error: unsupported certificate > purpose" comes from and how I could solve that problem, > could a self signed or a letsencrypt one do and what do I need to change > to make the verifyPeer working? > > Thanks. > > > > On Tue, Oct 13, 2020 at 3:03 PM Małgorzata Olszówka < > [email protected]> wrote: > >> W dniu 12.10.2020 o 14:29, Bob Bob pisze: >> > Hi, >> > >> > I just updated to version 5.57 and the config I used for ever does not >> > work anymore. >> > I regenerated the self certs using the "Build a Self-signed >> stunnel.pem" >> > in Windows and made sure the CN was matching the hostname >> > of the server machine. >> > >> > I understand there is an issue with the self signed certificate... >> > ...but it was working fine under 5.56. >> > >> > Server configuration >> > [Server_SyncThing] >> > cert = stunnel.pem >> > accept = 999 >> > connect = 127.0.0.1:24596 >> > ciphers = PSK >> > PSKsecrets = psk.txt >> > >> > Client configuration >> > [SyncThing] >> > client = yes >> > accept = 127.0.0.1:24596 >> > connect = 192.168.0.102:999 >> > verifyPeer = yes >> > CAfile = stunnel.pem >> > PSKsecrets = psk.txt >> > >> >> Hi Bob, >> The easiest way to configure authentication is with PSK (Pre-Shared >> Key). It provides both client and server authentication. PSK is also the >> fastest TLS authentication. >> >> But use of the PSKsecrets option in combination with the verifyPeer >> option in your configuration file doesn't work. >> Ether the PSK secret or the peer certificate is used for authentication. >> >> You just need to disable the verifyPeer option. Certificate is also not >> required. >> >> Best regards, >> Małgorzata Olszówka >> _______________________________________________ >> stunnel-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
