[stunnel-users] Difference between verify=2, 3 and 4
meresponde2001-stn at yahoo.es
Fri Sep 20 04:30:32 CEST 2013
On Thu, 19 Sep 2013 21:05:44 +0200
Michal Trojnara <Michal.Trojnara at mirt.net> wrote:
> On 2013-09-17 01:17, Javier wrote:
> > I didn't use level 4, but if I'm not wrong, it doesn't check for a local certificate
> > but just the top CA, without the full CAs chain (all CAs part of the certificate).
> > If no one corrects me, L4 is as I told. But the best way is to test it.
> It looks like I'll be the one to correct you.
Better you, as the developer, than anyone else haha. So, glad you did :)
> It is the opposite:
> "verify = 4" *only* checks your peer certificate, ignoring all the other
> certs in the chain. The rationale behind this mode is to be able to use:
> 1. Specific certificates issued by CAs you don't trust for any other
> certificates. This can also be achieved by "verify = 3".
> 2. Specific certificates issued by CAs for which you don't *have* the
> root certificate. This may happen, as SSL does only requires servers to
> send the remaining part of the chain. Sending the root certificate
> itself is optional.
> IMHO most stunnel deployments *should* use "verify = 4".
I think I understand now.
But a bit contradictory to accept a certificate that has been issued by a CA
you don't trust, just for the main purpose of establish an SSL connection.
It depends in the service you are offering, I guess.
I the other hand, I mainly use Stunnel in client mode.
Thanks for the explanation, Michal :)
More information about the stunnel-users