On Thu, 2011-04-28 17:06:28 +0200, laurent.uk(a)bnpparibas.com wrote:
> Dear Ludolf i need some help with the verify option.
>
> I want to check the certificate client in my machine and also check if the
> certificate's client is in the crl list.
>
> You said that "
> If you are using verify=3, stunnel checks client certificates against
> the set of certificates in CApath or CAfile, not against CAs and CRLs."
>
> Is it possible to check client certificates with certificates in CaPath
> and also with CRls?
Laurent,
By installing a certificate (to CApath or CAfile), you express your
trust in the certificate.
For the client certificates, you could either
o implicitly trust all certificates signed by an installed CA
certificate and not yet revoked (verify=2), or
o explicitly trust installed client certificates (verify=3).
In both cases, all installed certificates are fully trusted.
Cross-checking a trusted (client-) certificate against an other
trusted (CA-) certificate does not raise security or trustworthiness.
In order to revoke a client certificate in verify=3 mode, just
uninstall it.
Ludolf
--
---------------------------------------------------------------
Ludolf Holzheid Tel: +49 621 339960
Bihl+Wiedemann GmbH Fax: +49 621 3392239
Floßwörthstraße 41 e-mail: lholzheid(a)bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------