I have a Linux machine that is connecting to a remote MySQL server using stunnel 5.56. I downloaded the remote server's certificate and put it in /etc/ssl/cert/mysql-server.pem. Here is my Linux machine's stunnel configuration:
# /etc/stunnel/mysql.conf
debug = 6
[mysql-server]
client = yes
accept = 127.0.0.1:3326
connect = mysql-remote.example.com:3307
verifyPeer = yes
CAfile = /etc/ssl/cert/mysql-server.pem
When I start the service the tunnel gets established and this is what I see in the logs:
stunnel: LOG5[ui]: stunnel 5.56 on x86_64-pc-linux-gnu platform
stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.1.1k 25 Mar 2021
stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
stunnel: LOG5[ui]: Reading configuration from file /etc/stunnel/mysql.conf
stunnel: LOG5[ui]: UTF-8 byte order mark not detected
stunnel: LOG5[ui]: FIPS mode disabled
stunnel: LOG6[ui]: Initializing service [mysql-server]
stunnel: LOG5[ui]: Configuration successful
stunnel: LOG6[ui]: Service [mysql-server] (FD=9) bound to 127.0.0.1:3326
stunnel4[3372706]: Starting TLS tunnels: /etc/stunnel/mysql.conf: started (no pid=pidfile specified!)
stunnel: LOG6[cron]: Executing cron jobs
stunnel: LOG6[cron]: Cron jobs completed in 0 seconds
As an experiment I downloaded the certificate used by https://www.google.com and saved it in
/root/google.pem. I changed the above stunnel configuration by changing the CAfile to point to the Google certificate:
debug = 6
[mysql-server]
client = yes
accept = 127.0.0.1:3326
connect = mysql-remote.example.com:3307
verifyPeer = yes
CAfile = /root/google.pem
When I restart stunnel everything works! That is, stunnel does not seem to care what certificate is in CAfile. This cannot be how peer certificate verification is supposed to work. What am I doing wrong?
(Note: I also tried adding verify = N with N being 2, 3, and 4 with the same results.)
Techincal details: running stunnel from Debian bullseye package stunnel4 version 3:5.56+dfsg-10.
