Stunnel between two servers: should the ssl certificate be the same on both sides?

PouJa

3/17/24, 9:03 AM

I have two Ubuntu servers with stunnel configured between them. Server A acts as a middleman server and forwards all inbound traffic to Server B (Openvpn server) through stunnel.

Stunnel configurations on server A and on server B are:

server A:

[openvpn_client]
accept = 0.0.0.0:443
connect = <serverB_ip>:993
cert = /etc/stunnel/cert1.pem
client = yes

server B:

client = no
[openvpn_server]
accept = :::993
connect = 127.0.0.1:1194
cert = /etc/stunnel/cert2.pem

Here my question is that should ssl certificates used cert1.pem and cert2.pem be identical? I tested the connection with both identical and different ssl certificates and it works fine in both cases.

What is the wise choice then? Should I use the same certificate on server A as the one on server B?

In case the firewall I am passing through can detect ssl fingerprints and block my connection will the difference between certificates become helpful?

118

1 + 2

ubuntu

openvpn

stunnel

Greg Askew

3/17/24, 10:05 AM

No, the same certificate should not be used. The certificates should be different. The certificate has two keys for a reason. One of the keys is private, and should only be known and accessible to one system. Making this key available to other systems defeats one of the reasons for using certificates. Certificates are all about trust. Doing things like disseminating a key that should be private with other entities that should not have the key erodes that trust. http://www.steves-internet-guide.com/ssl-certificates-explained/

PouJa

3/20/24, 11:05 AM

Thank you so much. I see.

Score:0

Server

vidarlo

3/17/24, 9:12 AM

No, they should not be identical.

Certificates should identify an entity, either a person, or a computer, generally speaking.

In your scenario you only have two devices, but imagine a VPN network with many users. If one user should not have access any more, you can revoke that certificate, and block that user. If everyone uses the same cert, this will be impossible.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Stunnel between two servers: should the ssl certificate be the same on both sides?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.