Re: [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

al_9x@yahoo.com wrote:

I am not suggesting you should abandon normal CA based validation, but that in addition to it, you could support an alternative validation model where the user can grant trust to the server cert, which renders any further validation unnecessary. Considering you support running without any validation whatsoever, doesn't make sense that you object to this alternative approach.

I've implemented this functionality as "verify=4".

Please test it and let us know if that's what you expected: ftp://ftp.stunnel.org/stunnel/stunnel-4.46b2.tar.gz

A similar idea was proposed for the OpenSSL protocol itself: https://tools.ietf.org/html/draft-wouters-tls-oob-pubkey-01

Best regards, Michal Trojnara