[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Wed Nov 2 09:49:21 CET 2011

On Tue, 2011-11-01 23:11:45 -0400, al_9x at yahoo.com wrote:
> On 10/15/2011 6:37 AM, al_9x at yahoo.com wrote:
>> If the leaf (server) cert is declared trusted (added to the cafile),  
>> there is no point in walking the trust chain.
> Michal Trojnara, can you comment please?  Can you support a mode of  
> validation that allows one to trust the server certificate, without  
> having to add the whole chain?


I think the technical issue has been discussed already.

Could you please provide a rationale for insisting in not using
self-singed certificates /and/ for refusing to have the one or two
additional certificates installed?



Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list