[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2011-10-24 01:21:45 -0400, al_9x at yahoo.com wrote:
> On 10/15/2011 6:37 AM, al_9x at yahoo.com wrote:
>> If the leaf (server) cert is declared trusted (added to the cafile),  
>> there is no point in walking the trust chain.
>>
>
> Please explain why it's necessary to add the whole chain to cafile.  Why  
> is just the server cert insufficient?

al_9x,

I /think/ the certificates are checked for validity before they are
checked for being installed locally (Michał, correct me if I'm wrong).

Amongst others, a certificate is valid only if all certificates up to
the CA are valid and not revoked and the CA is trusted. Other things
to check are, e.g., the period of validity (not before/not after
dates).

As far as I remember, stunnel 4.36 introduced a stricter checking of
installed certificates, but I don't know if this is related.

HTH,

Ludolf

-- 

---------------------------------------------------------------
Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]