[stunnel-users] Difference between verify=2, 3 and 4
Nikolaus at rath.org
Sat Sep 14 07:55:14 CEST 2013
Thanks for writing stunnel, it looks like a great tool!
I have, however, a really hard time understanding the difference between
verify=2,3 and 4. In the manpage, I found
verify = level
verify peer certificate
level 0 - request and ignore peer certificate
level 1 - verify peer certificate if present
level 2 - verify peer certificate
level 3 - verify peer with locally installed certificate
level 4 - ignore CA chain and only verify peer certificate
default - no verify
Levels 0-2 seem pretty clear cut, but then it becomes confusing for me.
First, I do not understand how level 3 differs from level2. What does
"against a locally installed certificate" mean? It seems to me that I
certainly need to have a local copy of the trusted CAs even in level 2
-- at least I hope that they aren't somehow build in to stunnel. But
there is also just one CApath option, so will that be used for level 2
or level 3?
For level 4, the "ignore the CA chain" path is fine -- but where do I
put the peer certificates that I'm willing to accept? CApath seems
wrong, but cert is already used for the server's own certificate...
»Time flies like an arrow, fruit flies like a Banana.«
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
More information about the stunnel-users