Hello,
Thanks for writing stunnel, it looks like a great tool!
I have, however, a really hard time understanding the difference between verify=2,3 and 4. In the manpage, I found
verify = level verify peer certificate
level 0 - request and ignore peer certificate level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate level 4 - ignore CA chain and only verify peer certificate default - no verify
Levels 0-2 seem pretty clear cut, but then it becomes confusing for me.
First, I do not understand how level 3 differs from level2. What does "against a locally installed certificate" mean? It seems to me that I certainly need to have a local copy of the trusted CAs even in level 2 -- at least I hope that they aren't somehow build in to stunnel. But there is also just one CApath option, so will that be used for level 2 or level 3?
For level 4, the "ignore the CA chain" path is fine -- but where do I put the peer certificates that I'm willing to accept? CApath seems wrong, but cert is already used for the server's own certificate...
Best,
-Nikolaus