[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto plugged off?



again, being an smtp relay

randy

---

there are a few technical differences:

- the verify level (see stunnel(8)) lets you choose whether to do (1)
  opportunistic cert verification, (2) cert verification from a trust
  anchor, or (3) cert verification that must match a locally installed
  cert.  the most useful of these is usually (2), which is the mode
  that gnutls-cli does.

- gnutls-cli does the commonName check, not sure stunnel does.

- stunnel has a list of protocols (including pop3 and imap) for which
  it knows how to do starttls negotiation, and lets you specify one of
  these, after which it will automatically perform the negotiation.

  gnutls-cli has a --starttls option but it doesn't do the negotiation
  for you; instead, it opens a plain connection, waits quietly for you
  to do the protocol-specific starttls negotiation yourself, then you
  send gnutls-cli it a signal (eof or sigalrm) to tell it that you now
  want it to start speaking tls for you.

stunnel's starttls support is probably the deciding factor here.   if
i were using imap with starttls instead of imaps, i'd want this.