[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

al_9x at yahoo.com al_9x at yahoo.com
Wed Nov 2 12:08:38 CET 2011


On 11/2/2011 6:39 AM, Ludolf Holzheid wrote:
> On Wed, 2011-11-02 05:41:57 -0400, al_9x at yahoo.com wrote:
>> The concept of trusted server certs (as opposed to trusted authority
>> certs) is well established.  Firefox cert manager, for example, has a
>> servers tab where you can import and trust specific server certs (self
>> signed and not)
> And Firefox accepts such certificates even if they can't be validated
> (and thus are to be considered invalid)?I would regard this as a bug
> or at least as a design flaw...

They *are* validated, by the user's explicit grant of trust to the 
imported server cert.  The flaw is not in Firefox but your understanding 
of trust.  The reason you walk the trust chain to a trusted root is 
because normally (standard PKI model) you don't trust individual server 
certs, but only CA roots.  However if (for whatever reason) you do 
explicitly trust a server cert, no further validation is needed.



More information about the stunnel-users mailing list