[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

al_9x at yahoo.com al_9x at yahoo.com
Thu Nov 3 21:31:41 CET 2011

On 11/3/2011 7:35 AM, Michal Trojnara wrote:
> I wrote:
>> Please test it and let us know if that's what you expected:
>> ftp://ftp.stunnel.org/stunnel/stunnel-4.46b2.tar.gz
> I found an error!  Please try:
> ftp://ftp.stunnel.org/stunnel/stunnel-4.46b3.tar.gz
Appears to be working, thanks.  A couple of questions about verify=4:

1. Are the certificates restricted to the host(s) specified in them (CN, 
alt name)?  Or will they validate any site that happens to return them?

2. I think some host restriction makes sense, but rather than use what's 
inside the cert, it would be good to allow the user to specify the host 
name(s) which a given cert should be restricted to.

3. The certificates are only used for server verification, they would 
never be treated as CA, right?

More information about the stunnel-users mailing list