How do I ensure that stunnel sends all intermediate CA certs?

Solution 1:

The CAFile option configures a CA to use for client authentication certificates; this isn't what you want.

Instead, you want to craft the file in the cert option to contain the entire applicable certificate chain. You'll want to save a backup copy of that file, then make a new one; basically combining the two files, formatted like this:

-----BEGIN CERTIFICATE-----
(certificate from asana.pem file pasted here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate here; copy-paste the top chunk from the bundle)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root certificate here; copy-paste the bottom chunk from the bundle)
-----END CERTIFICATE-----

This will force stunnel to present the full certificate chain to clients.

One further tidbit; the openssl s_client command is very useful for testing certificate chain issues and checking how your service is presenting its certificates.

Edit: Ok.. that certificate bundle's chain is three-deep, but the trust chain looks two-deep. Something's not right.

The top certificate ("Starfield Secure Certification Authority") is signed by an issuer named "Starfield Class 2 Certification Authority" with a thumbprint starting with ad7e1c28.. but the second cert in the bundle, named exactly the same as the first cert's signer, which should be the exact same certificate, has a thumbprint starting with 363e4734, and an expiration date 10 years earlier. Then the third (root) cert is the signer of the included intermediate cert.. but neither of those two has any relation to the first one!

If that didn't make sense, don't worry. Summary: sloppy work, someone seriously dropped the ball building this cert bundle. Your best bet, then, is to export the files in base-64 format from a browser that's successfully validating the chain, pasting them into the format that I listed from there.

Since that's a confusing mess through no fault of your own, I took a guess at your DNS name and grabbed the cert, and I think this should be the full chain you need: http://pastebin.com/Lnr3WHc8

Solution 2:

Qualys SSLLabs is really handy for checking your configuration after changes.

https://www.ssllabs.com/ssldb/analyze.html

Checks that you've got

  • strong ciphers enabled
  • weak ciphers disabled
  • the certificate chain complete and in the correct order