[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 25 Oct 2011 15:54:26 -0400
al_9x at yahoo.com wrote:

... 
> verify=3 means checking is done against local certs.  My point is that 
> if the actual server cert is stored locally (i.e. trusted) that should 
> be enough.  When I put just the server cert in cafile validation (and 
> connection) fails, but when I put the whole chain, it succeeds.  Why 
> isn't the server cert sufficient?

Because the SVR cert is used to signed your own cert, this ensure liability
between svr & cli; and if it was only the SVR cert, how could you revoke
client by client?  
You would be obliged to revoke all clients at once - which doesn't look
like a very good strategy if you've got 1000's of clients...

-- 
You will be dead within a year.

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]