[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Michal Trojnara Michal.Trojnara at mirt.net
Wed Nov 2 17:22:27 CET 2011

al_9x at yahoo.com wrote:
>> If the leaf (server) cert is declared trusted (added to
>> the cafile), there is no point in walking the trust chain.
> Michal Trojnara, can you comment please?  Can you support a mode of
> validation that allows one to trust the server certificate, without
> having to add the whole chain?

RFC 2246, section 7.4.2 (Server certificate) says:

        This is a sequence (chain) of X.509v3 certificates. The sender's
        certificate must come first in the list. Each following
        certificate must directly certify the one preceding it. Because
        certificate validation requires that root keys be distributed
        independently, the self-signed certificate which specifies the
        root certificate authority may optionally be omitted from the
        chain, under the assumption that the remote end must already
        possess it in order to validate it in any case.

Not validating the chain would violate the protocol requirements.

With "verify=3" you don't really need the whole chain to be in your 
CAfile: just the root certificate and the leaf certificate.


More information about the stunnel-users mailing list