20 Sep
2013
20 Sep
'13
5:28 a.m.
On 2013-09-20 05:27, Nikolaus Rath wrote:
IMHO most stunnel deployments *should* use "verify = 4".
Thanks for explanations. So in which case would I ever use 3? Somehow I can't think of such a situation. If I already explicitly trust a specific certificate, why would I be interested in checking the CA chain?
Good point. The reason is historical: "verify = 4" was added just 2 years ago. As stunnel is 15 years old I decided to keep "verify = 3" for backward compatibility. Alternatively I could have replaced the existing functionality of "verify = 3", but most people expect modifications of the already defined functionality on software updates to be as small as possible.
Mike