[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Michal Trojnara Michal.Trojnara at mirt.net
Thu Nov 3 10:41:54 CET 2011


al_9x at yahoo.com wrote:
> I am not suggesting you should abandon normal CA based validation,
> but that in addition to it, you could support an alternative
> validation model where the user can grant trust to the server cert,
> which renders any further validation unnecessary.  Considering you
> support running without any validation whatsoever, doesn't make sense
> that you object to this alternative approach.

I've implemented this functionality as "verify=4".

Please test it and let us know if that's what you expected:
ftp://ftp.stunnel.org/stunnel/stunnel-4.46b2.tar.gz

A similar idea was proposed for the OpenSSL protocol itself:
https://tools.ietf.org/html/draft-wouters-tls-oob-pubkey-01

Best regards,
     Michal Trojnara



More information about the stunnel-users mailing list