[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
al_9x at yahoo.com
al_9x at yahoo.com
Wed Nov 2 12:08:38 CET 2011
On 11/2/2011 6:39 AM, Ludolf Holzheid wrote:
> On Wed, 2011-11-02 05:41:57 -0400, al_9x at yahoo.com wrote:
>> The concept of trusted server certs (as opposed to trusted authority
>> certs) is well established. Firefox cert manager, for example, has a
>> servers tab where you can import and trust specific server certs (self
>> signed and not)
> And Firefox accepts such certificates even if they can't be validated
> (and thus are to be considered invalid)?I would regard this as a bug
> or at least as a design flaw...
They *are* validated, by the user's explicit grant of trust to the
imported server cert. The flaw is not in Firefox but your understanding
of trust. The reason you walk the trust chain to a trusted root is
because normally (standard PKI model) you don't trust individual server
certs, but only CA roots. However if (for whatever reason) you do
explicitly trust a server cert, no further validation is needed.
More information about the stunnel-users
mailing list