[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

If the leaf (server) cert is declared trusted (added to the cafile), there is no point in walking the trust chain.