[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
al_9x at yahoo.com
al_9x at yahoo.com
Thu Nov 3 02:53:32 CET 2011
On 11/2/2011 12:22 PM, Michal Trojnara wrote:
>
> Not validating the chain would violate the protocol requirements.
>
I am not suggesting you should abandon normal CA based validation, but
that in addition to it, you could support an alternative validation
model where the user can grant trust to the server cert, which renders
any further validation unnecessary. Considering you support running
without any validation whatsoever, doesn't make sense that you object to
this alternative approach.
More information about the stunnel-users
mailing list