On Fri, 2013-09-20 09:25:24 -0700, Nikolaus Rath wrote:
Jochen Bern <Jochen.Bern@LINworks.de> writes:
On 20.09.2013 05:27, Nikolaus Rath wrote:
So in which case would I ever use 3? Somehow I can't think of such a situation. If I already explicitly trust a specific certificate, why would I be interested in checking the CA chain?
Imagine the CA (or one of the intermediate CAs) getting compromised and corresponding revocations becoming available to your machine (by OS updates, OCSP, whatever) before you hear of the incident.
FWIW, I still don't see why I'd use verify=3 in that case.
Nikolaus, With verify=3, you don't explicitly trust the peer certificate, but you restrict the use of /valid/ certificates issued by a certain CA to the ones locally installed. Revoking the server certificate or one of the intermediate certificates renders the peer certificate as invalid and stunnel will reject it (if the CRLs are available to stunnel), even though it still is locally installed. Ludolf -- Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany Tel: +49 621 33996-0 Fax: +49 621 3392239 mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796