[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/2/2011 12:22 PM, Michal Trojnara wrote:
>
> Not validating the chain would violate the protocol requirements.
>

I am not suggesting you should abandon normal CA based validation, but 
that in addition to it, you could support an alternative validation 
model where the user can grant trust to the server cert, which renders 
any further validation unnecessary.  Considering you support running 
without any validation whatsoever, doesn't make sense that you object to 
this alternative approach.

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]