[stunnel-users] Difference between verify=2, 3 and 4

Nikolaus Rath Nikolaus at rath.org
Sat Sep 14 07:55:14 CEST 2013


Thanks for writing stunnel, it looks like a great tool!

I have, however, a really hard time understanding the difference between
verify=2,3 and 4. In the manpage, I found

       verify = level
           verify peer certificate

           level 0 - request and ignore peer certificate
           level 1 - verify peer certificate if present
           level 2 - verify peer certificate
           level 3 - verify peer with locally installed certificate
           level 4 - ignore CA chain and only verify peer certificate
           default - no verify

Levels 0-2 seem pretty clear cut, but then it becomes confusing for me.

First, I do not understand how level 3 differs from level2. What does
"against a locally installed certificate" mean? It seems to me that I
certainly need to have a local copy of the trusted CAs even in level 2
-- at least I hope that they aren't somehow build in to stunnel. But
there is also just one CApath option, so will that be used for level 2
or level 3?

For level 4, the "ignore the CA chain" path is fine -- but where do I
put the peer certificates that I'm willing to accept? CApath seems
wrong, but cert is already used for the server's own certificate...



 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

More information about the stunnel-users mailing list