[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
al_9x at yahoo.com
al_9x at yahoo.com
Thu Nov 3 21:31:41 CET 2011
On 11/3/2011 7:35 AM, Michal Trojnara wrote:
> I wrote:
>> Please test it and let us know if that's what you expected:
>> ftp://ftp.stunnel.org/stunnel/stunnel-4.46b2.tar.gz
>
> I found an error! Please try:
> ftp://ftp.stunnel.org/stunnel/stunnel-4.46b3.tar.gz
>
Appears to be working, thanks. A couple of questions about verify=4:
1. Are the certificates restricted to the host(s) specified in them (CN,
alt name)? Or will they validate any site that happens to return them?
2. I think some host restriction makes sense, but rather than use what's
inside the cert, it would be good to allow the user to specify the host
name(s) which a given cert should be restricted to.
3. The certificates are only used for server verification, they would
never be treated as CA, right?
More information about the stunnel-users
mailing list