[stunnel-users] Tr : Réf. : Re: Need some informations about stunnel (AC,?crl?files)

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Thu Apr 28 18:46:59 CEST 2011


On Thu, 2011-04-28 17:06:28 +0200, laurent.uk at bnpparibas.com wrote:
> Dear Ludolf i need some help with the verify option.
> 
> I want to check the certificate client in my machine and also check if the 
> certificate's client is in the crl list.
> 
> You said that "
> If you are using verify=3, stunnel checks client certificates against
> the set of certificates in CApath or CAfile, not against CAs and CRLs."
> 
> Is it possible to check client certificates with certificates in CaPath 
> and also with CRls?

Laurent,

By installing a certificate (to CApath or CAfile), you express your
trust in the certificate.

For the client certificates, you could either

 o implicitly trust all certificates signed by an installed CA
   certificate and not yet revoked (verify=2), or

 o explicitly trust installed client certificates (verify=3).

In both cases, all installed certificates are fully trusted.
Cross-checking a trusted (client-) certificate against an other
trusted (CA-) certificate does not raise security or trustworthiness.

In order to revoke a client certificate in verify=3 mode, just
uninstall it.

Ludolf

-- 

---------------------------------------------------------------
Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------




More information about the stunnel-users mailing list