[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

al_9x at yahoo.com al_9x at yahoo.com
Tue Oct 25 22:32:35 CEST 2011

On 10/25/2011 4:15 PM, Jean-Yves F. Barbier wrote:
> On Tue, 25 Oct 2011 15:54:26 -0400
> al_9x at yahoo.com wrote:
> ...
>> verify=3 means checking is done against local certs.  My point is that
>> if the actual server cert is stored locally (i.e. trusted) that should
>> be enough.  When I put just the server cert in cafile validation (and
>> connection) fails, but when I put the whole chain, it succeeds.  Why
>> isn't the server cert sufficient?
> Because the SVR cert is used to signed your own cert, this ensure liability
> between svr&  cli; and if it was only the SVR cert, how could you revoke
> client by client?
> You would be obliged to revoke all clients at once - which doesn't look
> like a very good strategy if you've got 1000's of clients...
I am not dealing with my own certs or signing or revoking anything, I am 
making a client connection and want to validate the server cert by 
comparing it to the locally stored cert (verify=3)  For this type of 
validation the the server cert should be sufficient.

More information about the stunnel-users mailing list