[SATLUG] stunnel and the stunnel verify level

David Salisbury david.salisbury at momentumweb.com
Thu Feb 3 12:36:57 CST 2011


I'm trying to get stunnel set up to wrap a pop3 service, and I can get 
it working with the default "verify = 0" or even "verify = 1".  However, 
if I up the verify level to "verify = 2" or "verify = 3" I'm having 
trouble, presumably because I have no CA.  The docs say that those auth 
settings should be set away from the default so as to prevent any 
man-in-the-middle attacks, but I'm not sure if a "verify = 1" is enough 
of a setting to do so or if it needs to be at 2 or 3 to prevent such 
attacks.

According to the docs:
level 1 - verify peer certificate if present
level 2 - verify peer certificate
level 3 - verify peer with locally installed certificate
default - no verify

I have a self-signed cert, and as I said no "official" CA, but I'd like 
to get this set up without an official CA since I'm just testing it (and 
will probably be using it) internally.  I've looked at lots of stunnel 
mailing list posts and docs, and can't find any reference to my question.

Here's a link to the stunnel man page:
http://www.stunnel.org/static/stunnel.html

Any thoughts?
David



More information about the SATLUG mailing list