[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
Michal.Trojnara at mirt.net
Wed Nov 2 17:22:27 CET 2011
al_9x at yahoo.com wrote:
>> If the leaf (server) cert is declared trusted (added to
>> the cafile), there is no point in walking the trust chain.
> Michal Trojnara, can you comment please? Can you support a mode of
> validation that allows one to trust the server certificate, without
> having to add the whole chain?
RFC 2246, section 7.4.2 (Server certificate) says:
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate which specifies the
root certificate authority may optionally be omitted from the
chain, under the assumption that the remote end must already
possess it in order to validate it in any case.
Not validating the chain would violate the protocol requirements.
With "verify=3" you don't really need the whole chain to be in your
CAfile: just the root certificate and the leaf certificate.
More information about the stunnel-users