[stunnel-users] Difference between verify=2, 3 and 4

Nikolaus Rath Nikolaus at rath.org
Fri Sep 20 18:25:24 CEST 2013


Jochen Bern <Jochen.Bern at LINworks.de> writes:
> On 20.09.2013 05:27, Nikolaus Rath wrote:
>> So in which case would I ever use 3? Somehow I
>> can't think of such a situation. If I already explicitly trust a
>> specific certificate, why would I be interested in checking the CA
>> chain?
>
> Imagine the CA (or one of the intermediate CAs) getting compromised and
> corresponding revocations becoming available to your machine (by OS
> updates, OCSP, whatever) before you hear of the incident.

FWIW, I still don't see why I'd use verify=3 in that case. 

Best,
Nikolaus

-- 
Encrypted emails preferred.
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

             »Time flies like an arrow, fruit flies like a Banana.«


More information about the stunnel-users mailing list