Victor Duchovni <victor.ducho...@morganstanley.com> wrote: >Note, however, that stunnel will not by default verify peer >certificates, so >>additional configuration is required for that. Only stunnel's >verification >>level 3, where the remote peer certificate is locally installed in >a >>local CAfile referenced in the stunnel.conf file actually verifies >that >>you are reaching the right peer server. > >Stunnel has no support for peername verification via trusted >CAs. Stunnel's verification level 2 just lulls unsuspecting users >into >>a false sense of security. It just verifies the certificate trust >chain >>(essentially pointless), but not the peername. I tried to convince >the >>author of stunnel that verification level 2 is broken, and should >be >>modified, ... he was not interested. > >- -- >Viktor.
Thank you for warning! I will try to learn more about it. At the moment am I satisfied with fact, that the communication with ISPs server is encrypted. So my with SALS LOGIN/PLAIN send name/passwd are +- safe. Maybe I should at least use IP (not name) of my ISPs server in stunnel conf, or add his name to my protected /etc/hosts. --kapetr
