[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
Michal Trojnara
Michal.Trojnara at mirt.net
Thu Nov 3 10:41:54 CET 2011
al_9x at yahoo.com wrote:
> I am not suggesting you should abandon normal CA based validation,
> but that in addition to it, you could support an alternative
> validation model where the user can grant trust to the server cert,
> which renders any further validation unnecessary. Considering you
> support running without any validation whatsoever, doesn't make sense
> that you object to this alternative approach.
I've implemented this functionality as "verify=4".
Please test it and let us know if that's what you expected:
ftp://ftp.stunnel.org/stunnel/stunnel-4.46b2.tar.gz
A similar idea was proposed for the OpenSSL protocol itself:
https://tools.ietf.org/html/draft-wouters-tls-oob-pubkey-01
Best regards,
Michal Trojnara
More information about the stunnel-users
mailing list