[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: Re: [stunnel-users] Client SSL certificate
From: Michal Trojnara <Michal.Trojnara () mirt ! net>
Date: 2014-06-13 7:37:36
Message-ID: 539AAA40.7010909 () mirt ! net
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
reg14@rambler.ru wrote:
>> stunnel does not validate common names at all, as, unlike web
>> browsers, it does not allow for dynamic selection of servers.
> If I understand the man page properly, in transparent mode stunnel
> should connect to any server that a non-SSL aware client is going
> to.
You understand the man page properly, although in transparent
destination mode it would not be possible for stunnel to verify the
common name against DNS name of the server. Why? Because stunnel
does not know the target server's DNS name, only its IP address. Only
the original client knows the server name that resolved to this IP
address.
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlOaqkAACgkQ/NU+nXTHMtFB6gCg8TFgyzDk4hkOYFscfF9KRBN/
hesAn0tG3hv1zsRX1Avqtpk69nCc9elQ
=qSPH
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic