[stunnel-users] Difference between verify=2, 3 and 4

Michal Trojnara Michal.Trojnara at mirt.net
Thu Sep 19 21:05:44 CEST 2013

On 2013-09-17 01:17, Javier wrote:
> I didn't use level 4, but if I'm not wrong, it doesn't check for a local certificate
> but just the top CA, without the full CAs chain (all CAs part of the certificate).
> If no one corrects me, L4 is as I told. But the best way is to test it.

It looks like I'll be the one to correct you.  It is the opposite:
"verify = 4" *only* checks your peer certificate, ignoring all the other
certs in the chain.  The rationale behind this mode is to be able to use:
1. Specific certificates issued by CAs you don't trust for any other
certificates.  This can also be achieved by "verify = 3".
2. Specific certificates issued by CAs for which you don't *have* the
root certificate.  This may happen, as SSL does only requires servers to
send the remaining part of the chain.  Sending the root certificate
itself is optional.

IMHO most stunnel deployments *should* use "verify = 4".


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130919/758edeae/attachment.sig>

More information about the stunnel-users mailing list