[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Michal Trojnara Michal.Trojnara at mirt.net
Thu Nov 3 10:41:54 CET 2011

al_9x at yahoo.com wrote:
> I am not suggesting you should abandon normal CA based validation,
> but that in addition to it, you could support an alternative
> validation model where the user can grant trust to the server cert,
> which renders any further validation unnecessary.  Considering you
> support running without any validation whatsoever, doesn't make sense
> that you object to this alternative approach.

I've implemented this functionality as "verify=4".

Please test it and let us know if that's what you expected:

A similar idea was proposed for the OpenSSL protocol itself:

Best regards,
     Michal Trojnara

More information about the stunnel-users mailing list