[stunnel-users] Difference between verify=2, 3 and 4

• Previous message (by thread): [stunnel-users] Hostname verification, support for, and patches
• Next message (by thread): [stunnel-users] Difference between verify=2, 3 and 4
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Thanks for writing stunnel, it looks like a great tool!

I have, however, a really hard time understanding the difference between
verify=2,3 and 4. In the manpage, I found

       verify = level
           verify peer certificate

           level 0 - request and ignore peer certificate
           level 1 - verify peer certificate if present
           level 2 - verify peer certificate
           level 3 - verify peer with locally installed certificate
           level 4 - ignore CA chain and only verify peer certificate
           default - no verify

Levels 0-2 seem pretty clear cut, but then it becomes confusing for me.

First, I do not understand how level 3 differs from level2. What does
"against a locally installed certificate" mean? It seems to me that I
certainly need to have a local copy of the trusted CAs even in level 2
-- at least I hope that they aren't somehow build in to stunnel. But
there is also just one CApath option, so will that be used for level 2
or level 3?

For level 4, the "ignore the CA chain" path is fine -- but where do I
put the peer certificates that I'm willing to accept? CApath seems
wrong, but cert is already used for the server's own certificate...


Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

• Previous message (by thread): [stunnel-users] Hostname verification, support for, and patches
• Next message (by thread): [stunnel-users] Difference between verify=2, 3 and 4
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]