Michal Trojnara <[email protected]> writes: > On 2013-09-17 01:17, Javier wrote: >> I didn't use level 4, but if I'm not wrong, it doesn't check for a local >> certificate >> but just the top CA, without the full CAs chain (all CAs part of the >> certificate). >> >> If no one corrects me, L4 is as I told. But the best way is to test it. > > It looks like I'll be the one to correct you. It is the opposite: > "verify = 4" *only* checks your peer certificate, ignoring all the other > certs in the chain. The rationale behind this mode is to be able to use: > 1. Specific certificates issued by CAs you don't trust for any other > certificates. This can also be achieved by "verify = 3". > 2. Specific certificates issued by CAs for which you don't *have* the > root certificate. This may happen, as SSL does only requires servers to > send the remaining part of the chain. Sending the root certificate > itself is optional. > > IMHO most stunnel deployments *should* use "verify = 4".
Thanks for explanations. So in which case would I ever use 3? Somehow I can't think of such a situation. If I already explicitly trust a specific certificate, why would I be interested in checking the CA chain? Best, -Nikolaus -- »Time flies like an arrow, fruit flies like a Banana.« PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
