[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
Ludolf Holzheid
lholzheid at bihl-wiedemann.de
Wed Oct 26 09:29:46 CEST 2011
On Tue, 2011-10-25 16:32:35 -0400, al_9x at yahoo.com wrote:
> I am not dealing with my own certs or signing or revoking anything, I am
> making a client connection and want to validate the server cert by
> comparing it to the locally stored cert (verify=3) For this type of
> validation the the server cert should be sufficient.
al_9x,
The server is using its certificate (the associated private key, to be
exact) for signing the session key, and this signature has to be
valid.
Moreover, just comparing the certificates with the installed ones
would turn them to simple passwords.
If you are running stunnel with verify=3, why don't you use
self-signed certificates?
Ludolf
--
---------------------------------------------------------------
Ludolf Holzheid Tel: +49 621 339960
Bihl+Wiedemann GmbH Fax: +49 621 3392239
Floßwörthstraße 41 e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------
More information about the stunnel-users
mailing list