[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
yyy at yyy.id.lv
Wed Nov 2 16:20:12 CET 2011
OP did not ask for PKI. It is obvious that directly trusted server
certificate cannot be revoked.
The necessary option is that ANY directly trusted certificate should be
treated as self signed.
(For example server cert is trusted, but CA is not) There might be other
users, who trusts CA,
but does not trusts server cert directly, so server cert were signed by CA
for sake of that subset of users.
----- Original Message -----
From: "Jochen Bern" <Jochen.Bern at LINworks.de>
To: <stunnel-users at stunnel.org>
Sent: Wednesday, November 02, 2011 2:05 PM
Subject: Re: [stunnel-users] Why does verify=3 require the entire cert chain
to be present in cafile?
Whether "the PKI model" ***ALLOWS*** overlaying a Web of Trust in
addition to the hierarchical structure is debatable. As I already
mentioned, not going through the CA certs effectively disables
(automated) CRL checking, which is a pretty dubious "improvement".
More information about the stunnel-users