On 11/2/2011 4:49 AM, Ludolf Holzheid wrote:
On Tue, 2011-11-01 23:11:45 -0400, al_9x@yahoo.com wrote:
On 10/15/2011 6:37 AM, al_9x@yahoo.com wrote:
If the leaf (server) cert is declared trusted (added to the cafile), there is no point in walking the trust chain.
Michal Trojnara, can you comment please? Can you support a mode of validation that allows one to trust the server certificate, without having to add the whole chain?
al_9x,
I think the technical issue has been discussed already.
Could you please provide a rationale for insisting in not using self-singed certificates
stunnel can be used in client mode to connect to servers one does not control
/and/ for refusing to have the one or two additional certificates installed?
one or two or three or four or five
I already explained that when you chose to trust a specific server cert, the CA certs (intermediate and root) up the chain are irrelevant, it is pointless to verify them and only creates unnecessary work.
The concept of trusted server certs (as opposed to trusted authority certs) is well established. Firefox cert manager, for example, has a servers tab where you can import and trust specific server certs (self signed and not)