We use stunnel configured to provide SSL-tunnel between SERVER A (where we have stunnel configured as client) and many SERVERS B (where we deployed stunnel configured to work in server mode).

We use self-signed certs on both client stunnel and server stunnel. We also have 'verify=3' option in both places. Everything works in this configuration. All servers are running Windows (different flavors - WS2008, WS2003).

Now we are facing issues where we have to put properly signed by CA cert on SOME of SERVER Bs. We also want to minimize changes that we need to do on SERVER A. It means that ideally we will be replacing self-signed cert with valid signed by CA one on servers B one at a time, and we don't want to change server A configuration each time.

Is changing 'verify' option to 2 on the server A correct approach here? We also presumably will have to add Network Solution or other root certs into server A verification chain, right? Or we're missing something here and it will not work this way?

  • 111
  • 4

0 Answers0