On Fri, 13 Sep 2013 22:55:14 -0700 Nikolaus Rath Nikolaus@rath.org wrote:
Hello,
Thanks for writing stunnel, it looks like a great tool!
I have, however, a really hard time understanding the difference between verify=2,3 and 4. In the manpage, I found
verify = level verify peer certificate level 0 - request and ignore peer certificate level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate level 4 - ignore CA chain and only verify peer certificate default - no verifyLevels 0-2 seem pretty clear cut, but then it becomes confusing for me.
First, I do not understand how level 3 differs from level2. What does "against a locally installed certificate" mean? It seems to me that I certainly need to have a local copy of the trusted CAs even in level 2 -- at least I hope that they aren't somehow build in to stunnel. But there is also just one CApath option, so will that be used for level 2 or level 3?
Hi,
They differ in how you manage certificates to validate them.
The level 2 verify the peer certificate against CA (CAfile).
The level 3 verify the peer certificate against CA and also with a local copy of that certificate in the CAfile. In other words, in addition to the CAs certificates you'll have the incoming peer certificates in that file. And you verify that not only is valid against the CA, but against the certificate itself, in that file.
It's a way of a double check to ensure it's not a fake certificate.
For level 4, the "ignore the CA chain" path is fine -- but where do I put the peer certificates that I'm willing to accept? CApath seems wrong, but cert is already used for the server's own certificate...
In the CAfile.
I didn't use level 4, but if I'm not wrong, it doesn't check for a local certificate but just the top CA, without the full CAs chain (all CAs part of the certificate).
If no one corrects me, L4 is as I told. But the best way is to test it.
Regards.