As indicated in a previous mail to this list I was surprised by the following behavior: With "verify=3" stunnel doesn't compare the peer's certificate with the locally installed certificate for actual equality but it only checks whether they have the same subject.

The recent Comodo incident[1] has shown that it is not impossible to get a certificate which matches the subject of the certificate of some interesting server and is signed by a trusted CA. That's why I was interested in a stricter form of verification (at least in client mode).

I have attached a small patch, derived from code in the file "mutt_ssl.c" of the Mutt[2] mail client, which adds a check for equality of SHA-1 hashes to the "verify=3" certificate check. I mainly wrote it for personal use but maybe someone else will find it useful or has some comments.

Regards, Philipp

[1] http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-... [2] http://www.mutt.org/