[stunnel-users] Difference between verify=2, 3 and 4

Javier meresponde2001-stn at yahoo.es
Tue Sep 17 01:17:16 CEST 2013

On Fri, 13 Sep 2013 22:55:14 -0700
Nikolaus Rath <Nikolaus at rath.org> wrote:

> Hello,
> Thanks for writing stunnel, it looks like a great tool!
> I have, however, a really hard time understanding the difference between
> verify=2,3 and 4. In the manpage, I found
>        verify = level
>            verify peer certificate
>            level 0 - request and ignore peer certificate
>            level 1 - verify peer certificate if present
>            level 2 - verify peer certificate
>            level 3 - verify peer with locally installed certificate
>            level 4 - ignore CA chain and only verify peer certificate
>            default - no verify
> Levels 0-2 seem pretty clear cut, but then it becomes confusing for me.
> First, I do not understand how level 3 differs from level2. What does
> "against a locally installed certificate" mean? It seems to me that I
> certainly need to have a local copy of the trusted CAs even in level 2
> -- at least I hope that they aren't somehow build in to stunnel. But
> there is also just one CApath option, so will that be used for level 2
> or level 3?


They differ in how you manage certificates to validate them.

The level 2 verify the peer certificate against CA (CAfile).

The level 3 verify the peer certificate against CA and also with a local copy
of that certificate in the CAfile. In other words, in addition to the CAs 
certificates you'll have the incoming peer certificates in that file. And you 
verify that not only is valid against the CA, but against the certificate itself,
in that file.

It's a way of a double check to ensure it's not a fake certificate.

> For level 4, the "ignore the CA chain" path is fine -- but where do I
> put the peer certificates that I'm willing to accept? CApath seems
> wrong, but cert is already used for the server's own certificate...

In the CAfile.

I didn't use level 4, but if I'm not wrong, it doesn't check for a local certificate
but just the top CA, without the full CAs chain (all CAs part of the certificate).

If no one corrects me, L4 is as I told. But the best way is to test it.


More information about the stunnel-users mailing list