[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

al_9x at yahoo.com wrote:
>> If the leaf (server) cert is declared trusted (added to
>> the cafile), there is no point in walking the trust chain.
>
> Michal Trojnara, can you comment please?  Can you support a mode of
> validation that allows one to trust the server certificate, without
> having to add the whole chain?

RFC 2246, section 7.4.2 (Server certificate) says:

    certificate_list
        This is a sequence (chain) of X.509v3 certificates. The sender's
        certificate must come first in the list. Each following
        certificate must directly certify the one preceding it. Because
        certificate validation requires that root keys be distributed
        independently, the self-signed certificate which specifies the
        root certificate authority may optionally be omitted from the
        chain, under the assumption that the remote end must already
        possess it in order to validate it in any case.

Not validating the chain would violate the protocol requirements.

With "verify=3" you don't really need the whole chain to be in your 
CAfile: just the root certificate and the leaf certificate.

Mike

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]