al_9x@yahoo.com wrote:
If the leaf (server) cert is declared trusted (added to the cafile), there is no point in walking the trust chain.
Michal Trojnara, can you comment please? Can you support a mode of validation that allows one to trust the server certificate, without having to add the whole chain?
RFC 2246, section 7.4.2 (Server certificate) says:
certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.
Not validating the chain would violate the protocol requirements.
With "verify=3" you don't really need the whole chain to be in your CAfile: just the root certificate and the leaf certificate.
Mike