On 2013-09-17 01:17, Javier wrote: > I didn't use level 4, but if I'm not wrong, it doesn't check for a local > certificate > but just the top CA, without the full CAs chain (all CAs part of the > certificate). > > If no one corrects me, L4 is as I told. But the best way is to test it.
It looks like I'll be the one to correct you. It is the opposite: "verify = 4" *only* checks your peer certificate, ignoring all the other certs in the chain. The rationale behind this mode is to be able to use: 1. Specific certificates issued by CAs you don't trust for any other certificates. This can also be achieved by "verify = 3". 2. Specific certificates issued by CAs for which you don't *have* the root certificate. This may happen, as SSL does only requires servers to send the remaining part of the chain. Sending the root certificate itself is optional. IMHO most stunnel deployments *should* use "verify = 4". Mike
signature.asc
Description: OpenPGP digital signature
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
