On Thu, 19 Sep 2013 21:05:44 +0200 Michal Trojnara Michal.Trojnara@mirt.net wrote:
On 2013-09-17 01:17, Javier wrote:
I didn't use level 4, but if I'm not wrong, it doesn't check for a local certificate but just the top CA, without the full CAs chain (all CAs part of the certificate).
If no one corrects me, L4 is as I told. But the best way is to test it.
It looks like I'll be the one to correct you.
Hi.
Better you, as the developer, than anyone else haha. So, glad you did :)
It is the opposite: "verify = 4" *only* checks your peer certificate, ignoring all the other certs in the chain. The rationale behind this mode is to be able to use:
- Specific certificates issued by CAs you don't trust for any other
certificates. This can also be achieved by "verify = 3". 2. Specific certificates issued by CAs for which you don't *have* the root certificate. This may happen, as SSL does only requires servers to send the remaining part of the chain. Sending the root certificate itself is optional.
IMHO most stunnel deployments *should* use "verify = 4".
I think I understand now.
But a bit contradictory to accept a certificate that has been issued by a CA you don't trust, just for the main purpose of establish an SSL connection.
It depends in the service you are offering, I guess.
I the other hand, I mainly use Stunnel in client mode.
Thanks for the explanation, Michal :)