[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Tue Oct 25 20:27:59 CEST 2011


On Mon, 2011-10-24 01:21:45 -0400, al_9x at yahoo.com wrote:
> On 10/15/2011 6:37 AM, al_9x at yahoo.com wrote:
>> If the leaf (server) cert is declared trusted (added to the cafile),  
>> there is no point in walking the trust chain.
>>
>
> Please explain why it's necessary to add the whole chain to cafile.  Why  
> is just the server cert insufficient?

al_9x,

I /think/ the certificates are checked for validity before they are
checked for being installed locally (Michał, correct me if I'm wrong).

Amongst others, a certificate is valid only if all certificates up to
the CA are valid and not revoked and the CA is trusted. Other things
to check are, e.g., the period of validity (not before/not after
dates).

As far as I remember, stunnel 4.36 introduced a stricter checking of
installed certificates, but I don't know if this is related.

HTH,

Ludolf

-- 

---------------------------------------------------------------
Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------




More information about the stunnel-users mailing list