[stunnel-users] Difference between verify=2, 3 and 4

Nikolaus Rath Nikolaus at rath.org
Fri Sep 20 05:27:17 CEST 2013


Michal Trojnara <Michal.Trojnara at mirt.net> writes:
> On 2013-09-17 01:17, Javier wrote:
>> I didn't use level 4, but if I'm not wrong, it doesn't check for a local certificate
>> but just the top CA, without the full CAs chain (all CAs part of the certificate).
>>
>> If no one corrects me, L4 is as I told. But the best way is to test it.
>
> It looks like I'll be the one to correct you.  It is the opposite:
> "verify = 4" *only* checks your peer certificate, ignoring all the other
> certs in the chain.  The rationale behind this mode is to be able to use:
> 1. Specific certificates issued by CAs you don't trust for any other
> certificates.  This can also be achieved by "verify = 3".
> 2. Specific certificates issued by CAs for which you don't *have* the
> root certificate.  This may happen, as SSL does only requires servers to
> send the remaining part of the chain.  Sending the root certificate
> itself is optional.
>
> IMHO most stunnel deployments *should* use "verify = 4".

Thanks for explanations. So in which case would I ever use 3? Somehow I
can't think of such a situation. If I already explicitly trust a
specific certificate, why would I be interested in checking the CA
chain?


Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C


More information about the stunnel-users mailing list