On Thu, 2011-04-28 17:06:28 +0200, laurent.uk@bnpparibas.com wrote:

Dear Ludolf i need some help with the verify option.

I want to check the certificate client in my machine and also check if the certificate's client is in the crl list.

You said that " If you are using verify=3, stunnel checks client certificates against the set of certificates in CApath or CAfile, not against CAs and CRLs."

Is it possible to check client certificates with certificates in CaPath and also with CRls?

Laurent,

By installing a certificate (to CApath or CAfile), you express your trust in the certificate.

For the client certificates, you could either

o implicitly trust all certificates signed by an installed CA certificate and not yet revoked (verify=2), or

o explicitly trust installed client certificates (verify=3).

In both cases, all installed certificates are fully trusted. Cross-checking a trusted (client-) certificate against an other trusted (CA-) certificate does not raise security or trustworthiness.

In order to revoke a client certificate in verify=3 mode, just uninstall it.

Ludolf