[stunnel-users] Difference between verify=2, 3 and 4

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Fri Sep 20 19:29:38 CEST 2013

On Fri, 2013-09-20 09:25:24 -0700, Nikolaus Rath wrote:
> Jochen Bern <Jochen.Bern at LINworks.de> writes:
> > On 20.09.2013 05:27, Nikolaus Rath wrote:
> >> So in which case would I ever use 3? Somehow I
> >> can't think of such a situation. If I already explicitly trust a
> >> specific certificate, why would I be interested in checking the CA
> >> chain?
> >
> > Imagine the CA (or one of the intermediate CAs) getting compromised and
> > corresponding revocations becoming available to your machine (by OS
> > updates, OCSP, whatever) before you hear of the incident.
> FWIW, I still don't see why I'd use verify=3 in that case. 


With verify=3, you don't explicitly trust the peer certificate, but
you restrict the use of /valid/ certificates issued by a certain CA to
the ones locally installed.

Revoking the server certificate or one of the intermediate
certificates renders the peer certificate as invalid and stunnel will
reject it (if the CRLs are available to stunnel), even though it still
is locally installed.



Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
Tel: +49 621 33996-0
Fax: +49 621 3392239
mailto:lholzheid at bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

More information about the stunnel-users mailing list