Re: [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
On Tue, 25 Oct 2011 15:54:26 -0400 al_9x@yahoo.com wrote:
...
verify=3 means checking is done against local certs. My point is that if the actual server cert is stored locally (i.e. trusted) that should be enough. When I put just the server cert in cafile validation (and connection) fails, but when I put the whole chain, it succeeds. Why isn't the server cert sufficient?
Because the SVR cert is used to signed your own cert, this ensure liability between svr & cli; and if it was only the SVR cert, how could you revoke client by client? You would be obliged to revoke all clients at once - which doesn't look like a very good strategy if you've got 1000's of clients...
On 10/25/2011 4:15 PM, Jean-Yves F. Barbier wrote:
On Tue, 25 Oct 2011 15:54:26 -0400 al_9x@yahoo.com wrote:
...
verify=3 means checking is done against local certs. My point is that if the actual server cert is stored locally (i.e. trusted) that should be enough. When I put just the server cert in cafile validation (and connection) fails, but when I put the whole chain, it succeeds. Why isn't the server cert sufficient?
Because the SVR cert is used to signed your own cert, this ensure liability between svr& cli; and if it was only the SVR cert, how could you revoke client by client? You would be obliged to revoke all clients at once - which doesn't look like a very good strategy if you've got 1000's of clients...
I am not dealing with my own certs or signing or revoking anything, I am making a client connection and want to validate the server cert by comparing it to the locally stored cert (verify=3) For this type of validation the the server cert should be sufficient.
On Tue, 2011-10-25 16:32:35 -0400, al_9x@yahoo.com wrote:
I am not dealing with my own certs or signing or revoking anything, I am making a client connection and want to validate the server cert by comparing it to the locally stored cert (verify=3) For this type of validation the the server cert should be sufficient.
al_9x,
The server is using its certificate (the associated private key, to be exact) for signing the session key, and this signature has to be valid.
Moreover, just comparing the certificates with the installed ones would turn them to simple passwords.
If you are running stunnel with verify=3, why don't you use self-signed certificates?
Ludolf
-
al_9x@yahoo.com -
Jean-Yves F. Barbier -
Ludolf Holzheid