[stunnel-users] Difference between verify=2, 3 and 4

Michal Trojnara Michal.Trojnara at mirt.net
Fri Sep 20 07:36:23 CEST 2013


On 2013-09-20 04:30, Javier wrote:
> But a bit contradictory to accept a certificate that has been issued by a CA
> you don't trust, just for the main purpose of establish an SSL connection.

It seems to be contradictory, but it is not.  You often cannot control
the certificate of your peer server.  In case its certificate is issued
by a large CA, you really want to make sure you're connecting to this
specific server, and not any other server with certificate issued by the
same CA.  Web browsers use CNAME/SubjectAltName verification to solve
the same problem in a different way.

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130920/81cec2b5/attachment.sig>


More information about the stunnel-users mailing list