[stunnel-users] Difference between verify=2, 3 and 4

• Previous message (by thread): [stunnel-users] Difference between verify=2, 3 and 4
• Next message (by thread): [stunnel-users] Difference between verify=2, 3 and 4
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2013-09-20 04:30, Javier wrote:
> But a bit contradictory to accept a certificate that has been issued by a CA
> you don't trust, just for the main purpose of establish an SSL connection.

It seems to be contradictory, but it is not.  You often cannot control
the certificate of your peer server.  In case its certificate is issued
by a large CA, you really want to make sure you're connecting to this
specific server, and not any other server with certificate issued by the
same CA.  Web browsers use CNAME/SubjectAltName verification to solve
the same problem in a different way.

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130920/81cec2b5/attachment.sig>

• Previous message (by thread): [stunnel-users] Difference between verify=2, 3 and 4
• Next message (by thread): [stunnel-users] Difference between verify=2, 3 and 4
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]