[stunnel-users] Difference between verify=2, 3 and 4

Michal Trojnara Michal.Trojnara at mirt.net
Fri Sep 20 07:28:37 CEST 2013


On 2013-09-20 05:27, Nikolaus Rath wrote:
>> IMHO most stunnel deployments *should* use "verify = 4".
> Thanks for explanations. So in which case would I ever use 3? Somehow I
> can't think of such a situation. If I already explicitly trust a
> specific certificate, why would I be interested in checking the CA
> chain?

Good point.  The reason is historical: "verify = 4" was added just 2
years ago.  As stunnel is 15 years old I decided to keep "verify = 3"
for backward compatibility.  Alternatively I could have replaced the
existing functionality of "verify = 3", but most people expect
modifications of the already defined functionality on software updates
to be as small as possible.

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130920/ac1c27ef/attachment.sig>


More information about the stunnel-users mailing list