On 10/25/2011 4:15 PM, Jean-Yves F. Barbier wrote:
On Tue, 25 Oct 2011 15:54:26 -0400 al_9x@yahoo.com wrote:
...
verify=3 means checking is done against local certs. My point is that if the actual server cert is stored locally (i.e. trusted) that should be enough. When I put just the server cert in cafile validation (and connection) fails, but when I put the whole chain, it succeeds. Why isn't the server cert sufficient?
Because the SVR cert is used to signed your own cert, this ensure liability between svr& cli; and if it was only the SVR cert, how could you revoke client by client? You would be obliged to revoke all clients at once - which doesn't look like a very good strategy if you've got 1000's of clients...
I am not dealing with my own certs or signing or revoking anything, I am making a client connection and want to validate the server cert by comparing it to the locally stored cert (verify=3) For this type of validation the the server cert should be sufficient.