On Thu, 7 Oct 2021, Christophe THOMAS wrote: > So without the flag OpenSSL would use another store ? One located > locally or embedded inside OpenSSL?
No. If you look at the patch, the flag merely enables that, for any certificate encountered, it first looks whether the Issuer is found in the local root certificate store, and if so, that’s it, chain accepted. Without this, it first traverses the chain up to *its* root, which here is the expired X3, because the X1-signed-by-X3 is in the chain. With this, it sees R3-signed-by-X1 and X1 is in the local trust store, so it stops verifying there. bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg **************************************************** /⁀\ The UTF-8 Ribbon ╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen: ╳ HTML eMail! Also, https://www.tarent.de/newsletter ╱ ╲ header encryption! **************************************************** _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest