diff --git a/ocaml/libs/stunnel/stunnel.ml b/ocaml/libs/stunnel/stunnel.ml index 8d319b4b80d..6b7d42608e7 100644 --- a/ocaml/libs/stunnel/stunnel.ml +++ b/ocaml/libs/stunnel/stunnel.ml @@ -218,29 +218,29 @@ let config_file ?(accept = None) config host port = | None -> [] | Some {sni; verify; cert_bundle_path} -> - [ - "" - ; "# use SNI to request a specific cert. CAfile contains" - ; "# public certs of all hosts in the pool and must contain" - ; "# the cert of the server we connect to" - ; (match sni with None -> "" | Some s -> sprintf "sni = %s" s) - ; ( match verify with + List.rev_append + ( match verify with | VerifyPeer -> - "" + ["verifyPeer=yes"] | CheckHost -> - sprintf "checkHost=%s" host - ) - ; "verifyPeer=yes" - ; sprintf "CAfile=%s" cert_bundle_path - ; ( match Sys.readdir crl_path with - | [||] -> - "" - | _ -> - sprintf "CRLpath=%s" crl_path - | exception _ -> - "" + [sprintf "checkHost=%s" host; "verifyChain=yes"] ) - ] + [ + "" + ; "# use SNI to request a specific cert. CAfile contains" + ; "# public certs of all hosts in the pool and must contain" + ; "# the cert of the server we connect to" + ; (match sni with None -> "" | Some s -> sprintf "sni = %s" s) + ; sprintf "CAfile=%s" cert_bundle_path + ; ( match Sys.readdir crl_path with + | [||] -> + "" + | _ -> + sprintf "CRLpath=%s" crl_path + | exception _ -> + "" + ) + ] ) ; [""] ]