[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Wed Oct 26 09:29:46 CEST 2011

On Tue, 2011-10-25 16:32:35 -0400, al_9x at yahoo.com wrote:
> I am not dealing with my own certs or signing or revoking anything, I am  
> making a client connection and want to validate the server cert by  
> comparing it to the locally stored cert (verify=3)  For this type of  
> validation the the server cert should be sufficient.


The server is using its certificate (the associated private key, to be
exact) for signing the session key, and this signature has to be

Moreover, just comparing the certificates with the installed ones
would turn them to simple passwords.

If you are running stunnel with verify=3, why don't you use
self-signed certificates?



Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list