Hello, Some time ago the idea was brought up to use openssl's new -trusted_first / X509_V_FLAG_TRUSTED_FIRST mode; a patch was provided:
http://curl.haxx.se/mail/lib-2011-12/0223.html This issue came up for MacPorts recently: https://trac.macports.org/ticket/47805 It looks like -trusted_first / X509_V_FLAG_TRUSTED_FIRST didn't actually get into openssl until version 1.0.2 released in March 2015. But now that it is, other software is starting to use it. For example python 2.7.10 was released to use this option: http://bugs.python.org/issue23476 I am not an expert in this matters, having just found out about the issue, but it seems like it is important for curl to use this mode, or at least give the user the option to use this mode, otherwise some valid certificates are seen as invalid. -Ryan ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
