Hello,

In the stunnel documentation, I see the following: level 4 Ignore CA chain and only verify peer certificate. My interpretation of level 4 was that only the server certificate had to be installed on the client in order for the cert verification to pass. No issuer/CA certificates were needed. However, when I do this, the connection fails. I see this following in the logs with verify=4:

2014.08.12 21:17:57 LOG7[26768]: Starting certificate verification: depth=0, subject=/C=US/CN=a.b.com 2014.08.12 21:17:57 LOG4[26768]: CERT: Verification error: unable to get local issuer certificate 2014.08.12 21:17:57 LOG4[26768]: Certificate check failed: depth=0, subject=/C=US/CN=a.b.com 2014.08.12 21:17:57 LOG7[26768]: SSL alert (write): fatal: unknown CA 2014.08.12 21:17:57 LOG3[26768]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

My config file contains the following: verify = 4 CAfile = /opt/stunnel/certs/clients.pem chroot = /opt/stunnel setuid = stunnel setgid = stunnel pid = /run/stunnel.pid debug = 7 output =  stunnel.log options = NO_SSLv2 cert = /opt/stunnel/certs/server.pem key  = /opt/stunnel/certs/server.pem

If I append the issuer certificate to the CAfile, after the peer certificate, then the connection is successful with verify=4.

Is this expected behavior? Is there a verify level that works as I described above: only the peer certificate needs to be present, no CA/issuer certificates at all?

Thank you for your help.