[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: Re: [stunnel-users]
From: Ludolf Holzheid <lholzheid () bihl-wiedemann ! de>
Date: 2011-04-28 16:46:59
Message-ID: 20110428164659.GA19134 () shadow ! bihl-wiedemann ! de
[Download RAW message or body]
On Thu, 2011-04-28 17:06:28 +0200, laurent.uk@bnpparibas.com wrote:
> Dear Ludolf i need some help with the verify option.
>
> I want to check the certificate client in my machine and also check if the
> certificate's client is in the crl list.
>
> You said that "
> If you are using verify=3, stunnel checks client certificates against
> the set of certificates in CApath or CAfile, not against CAs and CRLs."
>
> Is it possible to check client certificates with certificates in CaPath
> and also with CRls?
Laurent,
By installing a certificate (to CApath or CAfile), you express your
trust in the certificate.
For the client certificates, you could either
o implicitly trust all certificates signed by an installed CA
certificate and not yet revoked (verify=2), or
o explicitly trust installed client certificates (verify=3).
In both cases, all installed certificates are fully trusted.
Cross-checking a trusted (client-) certificate against an other
trusted (CA-) certificate does not raise security or trustworthiness.
In order to revoke a client certificate in verify=3 mode, just
uninstall it.
Ludolf
--
---------------------------------------------------------------
Ludolf Holzheid Tel: +49 621 339960
Bihl+Wiedemann GmbH Fax: +49 621 3392239
Floßwörthstraße 41 e-mail: lholzheid@bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic