[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Michal Trojnara Michal.Trojnara at mirt.net
Thu Nov 3 08:12:01 CET 2011

al_9x at yahoo.com wrote:
>I am not suggesting you should abandon normal CA based validation, but 
>that in addition to it, you could support an alternative validation 
>model where the user can grant trust to the server cert, which renders 
>any further validation unnecessary.  Considering you support running 
>without any validation whatsoever, doesn't make sense that you object
>to this alternative approach.

Makes sense indeed.

Just to be sure I understand your needs: the server would send the whole chain, but the client would only verify the peer certificate, right? Otherwise it might be hard to perform peer certificate validation without its signing certificate.


More information about the stunnel-users mailing list