[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

al_9x at yahoo.com al_9x at yahoo.com
Wed Nov 2 10:41:57 CET 2011

On 11/2/2011 4:49 AM, Ludolf Holzheid wrote:
> On Tue, 2011-11-01 23:11:45 -0400, al_9x at yahoo.com wrote:
>> On 10/15/2011 6:37 AM, al_9x at yahoo.com wrote:
>>> If the leaf (server) cert is declared trusted (added to the cafile),
>>> there is no point in walking the trust chain.
>> Michal Trojnara, can you comment please?  Can you support a mode of
>> validation that allows one to trust the server certificate, without
>> having to add the whole chain?
> al_9x,
> I think the technical issue has been discussed already.
> Could you please provide a rationale for insisting in not using
> self-singed certificates

stunnel can be used in client mode to connect to servers one does not 

> /and/ for refusing to have the one or two
> additional certificates installed?
one or two or three or four or five

I already explained that when you chose to trust a specific server cert, 
the CA certs (intermediate and root) up the chain are irrelevant, it is 
pointless to verify them and only creates unnecessary work.

The concept of trusted server certs (as opposed to trusted authority 
certs) is well established.  Firefox cert manager, for example, has a 
servers tab where you can import and trust specific server certs (self 
signed and not)

More information about the stunnel-users mailing list