On 2016/04/26 17:29, Elmar Stellnberger wrote: > Am 2016-04-26 um 16:04 schrieb Stuart Henderson: > > > www.elstel.org.pem contains the following: > > > > And this is certificate 0 from the chain; CN=elstel.org issued by > > GeoTrust's "Secure Site Starter DV SSL CA - G2". So this one should > > already be accepted, and shouldn't need any additional flag to do > > so, except it's not working because you're running into this problem: > > > > http://article.gmane.org/gmane.os.openbsd.tech/47048 > > > > Yes; that report is similar; as soon as any intermediate or leave cert is > known there should at least be a switch to accept that cert even if the > given root cert is missing. Basically it should be possible to accept such a > cert by default as well?
It's not just ftp, it's everything using the library. A switch for this makes no sense, it should be the default (there are ~15 entries we should remove from cert.pem that we can't because of this). > There is good reason to disable certain root certs as many rogue certs > issued for intelligence services are known to be circulating. > When will that bug be fixed for the ftp program? Well, it's a tricky area - OpenSSL introduced a vulnerability when they fixed it in their code (post-libressl-fork). So it won't be fixed until libressl people find a sane way to do it.
