On Thu, 19 Sep 2013 21:05:44 +0200 Michal Trojnara <[email protected]> wrote:
> On 2013-09-17 01:17, Javier wrote: > > I didn't use level 4, but if I'm not wrong, it doesn't check for a local > > certificate > > but just the top CA, without the full CAs chain (all CAs part of the > > certificate). > > > > If no one corrects me, L4 is as I told. But the best way is to test it. > > It looks like I'll be the one to correct you. Hi. Better you, as the developer, than anyone else haha. So, glad you did :) > It is the opposite: > "verify = 4" *only* checks your peer certificate, ignoring all the other > certs in the chain. The rationale behind this mode is to be able to use: > 1. Specific certificates issued by CAs you don't trust for any other > certificates. This can also be achieved by "verify = 3". > 2. Specific certificates issued by CAs for which you don't *have* the > root certificate. This may happen, as SSL does only requires servers to > send the remaining part of the chain. Sending the root certificate > itself is optional. > > IMHO most stunnel deployments *should* use "verify = 4". I think I understand now. But a bit contradictory to accept a certificate that has been issued by a CA you don't trust, just for the main purpose of establish an SSL connection. It depends in the service you are offering, I guess. I the other hand, I mainly use Stunnel in client mode. Thanks for the explanation, Michal :) _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
