[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

al_9x at yahoo.com al_9x at yahoo.com
Tue Oct 25 21:54:26 CEST 2011


On 10/25/2011 2:27 PM, Ludolf Holzheid wrote:
> On Mon, 2011-10-24 01:21:45 -0400, al_9x at yahoo.com wrote:
>> On 10/15/2011 6:37 AM, al_9x at yahoo.com wrote:
>>> If the leaf (server) cert is declared trusted (added to the cafile),
>>> there is no point in walking the trust chain.
>>>
>> Please explain why it's necessary to add the whole chain to cafile.  Why
>> is just the server cert insufficient?
> al_9x,
>
> I /think/ the certificates are checked for validity before they are
> checked for being installed locally (Michał, correct me if I'm wrong).
>

verify=3 means checking is done against local certs.  My point is that 
if the actual server cert is stored locally (i.e. trusted) that should 
be enough.  When I put just the server cert in cafile validation (and 
connection) fails, but when I put the whole chain, it succeeds.  Why 
isn't the server cert sufficient?



More information about the stunnel-users mailing list