Michal Trojnara Michal.Trojnara@mirt.net writes:
On 2013-09-17 01:17, Javier wrote:
I didn't use level 4, but if I'm not wrong, it doesn't check for a local certificate but just the top CA, without the full CAs chain (all CAs part of the certificate).
If no one corrects me, L4 is as I told. But the best way is to test it.
It looks like I'll be the one to correct you. It is the opposite: "verify = 4" *only* checks your peer certificate, ignoring all the other certs in the chain. The rationale behind this mode is to be able to use:
- Specific certificates issued by CAs you don't trust for any other
certificates. This can also be achieved by "verify = 3". 2. Specific certificates issued by CAs for which you don't *have* the root certificate. This may happen, as SSL does only requires servers to send the remaining part of the chain. Sending the root certificate itself is optional.
IMHO most stunnel deployments *should* use "verify = 4".
Thanks for explanations. So in which case would I ever use 3? Somehow I can't think of such a situation. If I already explicitly trust a specific certificate, why would I be interested in checking the CA chain?
Best,
-Nikolaus