[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
al_9x at yahoo.com
al_9x at yahoo.com
Tue Oct 25 21:54:26 CEST 2011
On 10/25/2011 2:27 PM, Ludolf Holzheid wrote:
> On Mon, 2011-10-24 01:21:45 -0400, al_9x at yahoo.com wrote:
>> On 10/15/2011 6:37 AM, al_9x at yahoo.com wrote:
>>> If the leaf (server) cert is declared trusted (added to the cafile),
>>> there is no point in walking the trust chain.
>>>
>> Please explain why it's necessary to add the whole chain to cafile. Why
>> is just the server cert insufficient?
> al_9x,
>
> I /think/ the certificates are checked for validity before they are
> checked for being installed locally (MichaĆ, correct me if I'm wrong).
>
verify=3 means checking is done against local certs. My point is that
if the actual server cert is stored locally (i.e. trusted) that should
be enough. When I put just the server cert in cafile validation (and
connection) fails, but when I put the whole chain, it succeeds. Why
isn't the server cert sufficient?
More information about the stunnel-users
mailing list