[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2011-10-25 16:32:35 -0400, al_9x at yahoo.com wrote:
> I am not dealing with my own certs or signing or revoking anything, I am  
> making a client connection and want to validate the server cert by  
> comparing it to the locally stored cert (verify=3)  For this type of  
> validation the the server cert should be sufficient.

al_9x,

The server is using its certificate (the associated private key, to be
exact) for signing the session key, and this signature has to be
valid.

Moreover, just comparing the certificates with the installed ones
would turn them to simple passwords.

If you are running stunnel with verify=3, why don't you use
self-signed certificates?

Ludolf

-- 

---------------------------------------------------------------
Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]