[stunnel-users] Difference between verify=2, 3 and 4

Javier meresponde2001-stn at yahoo.es
Fri Sep 20 04:30:32 CEST 2013

On Thu, 19 Sep 2013 21:05:44 +0200
Michal Trojnara <Michal.Trojnara at mirt.net> wrote:

> On 2013-09-17 01:17, Javier wrote:
> > I didn't use level 4, but if I'm not wrong, it doesn't check for a local certificate
> > but just the top CA, without the full CAs chain (all CAs part of the certificate).
> >
> > If no one corrects me, L4 is as I told. But the best way is to test it.
> It looks like I'll be the one to correct you.


Better you, as the developer, than anyone else haha. So, glad you did :)

>  It is the opposite:
> "verify = 4" *only* checks your peer certificate, ignoring all the other
> certs in the chain.  The rationale behind this mode is to be able to use:
> 1. Specific certificates issued by CAs you don't trust for any other
> certificates.  This can also be achieved by "verify = 3".
> 2. Specific certificates issued by CAs for which you don't *have* the
> root certificate.  This may happen, as SSL does only requires servers to
> send the remaining part of the chain.  Sending the root certificate
> itself is optional.
> IMHO most stunnel deployments *should* use "verify = 4".

I think I understand now.

But a bit contradictory to accept a certificate that has been issued by a CA
you don't trust, just for the main purpose of establish an SSL connection.

It depends in the service you are offering, I guess.

I the other hand, I mainly use Stunnel in client mode.

Thanks for the explanation, Michal :)

More information about the stunnel-users mailing list