Score:0

stunnel client accepts any peer certificate

cn flag

I have a Linux machine that is connecting to a remote MySQL server using stunnel 5.56. I downloaded the remote server's certificate and put it in /etc/ssl/cert/mysql-server.pem. Here is my Linux machine's stunnel configuration:

# /etc/stunnel/mysql.conf
debug = 6

[mysql-server]
client = yes
accept  = 127.0.0.1:3326
connect = mysql-remote.example.com:3307
verifyPeer = yes
CAfile = /etc/ssl/cert/mysql-server.pem

When I start the service the tunnel gets established and this is what I see in the logs:

stunnel: LOG5[ui]: stunnel 5.56 on x86_64-pc-linux-gnu platform
stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.1.1k  25 Mar 2021
stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
stunnel: LOG5[ui]: Reading configuration from file /etc/stunnel/mysql.conf
stunnel: LOG5[ui]: UTF-8 byte order mark not detected
stunnel: LOG5[ui]: FIPS mode disabled
stunnel: LOG6[ui]: Initializing service [mysql-server]
stunnel: LOG5[ui]: Configuration successful
stunnel: LOG6[ui]: Service [mysql-server] (FD=9) bound to 127.0.0.1:3326
stunnel4[3372706]: Starting TLS tunnels: /etc/stunnel/mysql.conf: started (no pid=pidfile specified!)
stunnel: LOG6[cron]: Executing cron jobs
stunnel: LOG6[cron]: Cron jobs completed in 0 seconds

As an experiment I downloaded the certificate used by https://www.google.com and saved it in /root/google.pem. I changed the above stunnel configuration by changing the CAfile to point to the Google certificate:

debug = 6

[mysql-server]
client = yes
accept  = 127.0.0.1:3326
connect = mysql-remote.example.com:3307
verifyPeer = yes
CAfile = /root/google.pem

When I restart stunnel everything works! That is, stunnel does not seem to care what certificate is in CAfile. This cannot be how peer certificate verification is supposed to work. What am I doing wrong?

(Note: I also tried adding verify = N with N being 2, 3, and 4 with the same results.)

Techincal details: running stunnel from Debian bullseye package stunnel4 version 3:5.56+dfsg-10.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.