[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/3/2011 7:35 AM, Michal Trojnara wrote:
> I wrote:
>> Please test it and let us know if that's what you expected:
>> ftp://ftp.stunnel.org/stunnel/stunnel-4.46b2.tar.gz
>
> I found an error!  Please try:
> ftp://ftp.stunnel.org/stunnel/stunnel-4.46b3.tar.gz
>
Appears to be working, thanks.  A couple of questions about verify=4:

1. Are the certificates restricted to the host(s) specified in them (CN, 
alt name)?  Or will they validate any site that happens to return them?

2. I think some host restriction makes sense, but rather than use what's 
inside the cert, it would be good to allow the user to specify the host 
name(s) which a given cert should be restricted to.

3. The certificates are only used for server verification, they would 
never be treated as CA, right?

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]