[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Wed Nov 2 11:39:07 CET 2011

On Wed, 2011-11-02 05:41:57 -0400, al_9x at yahoo.com wrote:
> The concept of trusted server certs (as opposed to trusted authority  
> certs) is well established.  Firefox cert manager, for example, has a  
> servers tab where you can import and trust specific server certs (self  
> signed and not)

And Firefox accepts such certificates even if they can't be validated
(and thus are to be considered invalid)? I would regard this as a bug
or at least as a design flaw...

BTW, Firefox comes with about 200 certificates installed, and 200 is
much larger than five, which seems to be a pain for you.



Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list