[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

al_9x at yahoo.com al_9x at yahoo.com
Thu Nov 3 02:53:32 CET 2011

On 11/2/2011 12:22 PM, Michal Trojnara wrote:
> Not validating the chain would violate the protocol requirements.

I am not suggesting you should abandon normal CA based validation, but 
that in addition to it, you could support an alternative validation 
model where the user can grant trust to the server cert, which renders 
any further validation unnecessary.  Considering you support running 
without any validation whatsoever, doesn't make sense that you object to 
this alternative approach.

More information about the stunnel-users mailing list