On Fri, 2013-09-20 09:25:24 -0700, Nikolaus Rath wrote:
Jochen Bern Jochen.Bern@LINworks.de writes:
On 20.09.2013 05:27, Nikolaus Rath wrote:
So in which case would I ever use 3? Somehow I can't think of such a situation. If I already explicitly trust a specific certificate, why would I be interested in checking the CA chain?
Imagine the CA (or one of the intermediate CAs) getting compromised and corresponding revocations becoming available to your machine (by OS updates, OCSP, whatever) before you hear of the incident.
FWIW, I still don't see why I'd use verify=3 in that case.
Nikolaus,
With verify=3, you don't explicitly trust the peer certificate, but you restrict the use of /valid/ certificates issued by a certain CA to the ones locally installed.
Revoking the server certificate or one of the intermediate certificates renders the peer certificate as invalid and stunnel will reject it (if the CRLs are available to stunnel), even though it still is locally installed.
Ludolf