On 5/27/2015 4:21 AM, Matt Caswell via RT wrote:
On Wed May 27 06:41:51 2015, [email protected] wrote:
On 3/16/2015 5:45 AM, Kai Engert via RT wrote:
Thank you very much for your work on this issue!
In my testing so far, it works as requested.
I noticed the code changes in x509_vfy.c apply fine on top of the 1.0.2
stable branch, and the test suite succeeeds.
Will you consider to add this enhancement in a feature release on the
1.0.2 branch?
I second this. It looks like this is also discussed in bug #2634 where
it was considered an enhancement and therefore will not be in 1.0.2. It
seems more like a bug fix to me though. If OpenSSL can complete the
chain it should. What would be the disadvantage of doing so?
This issue is now being treated as a bug fix and the fix was already applied to
the 1.0.2 tree a while ago (and therefore will appear in the next 1.0.2
release). A backport for 1.0.1 also exists but has not yet hit the repo.
Matt
Thanks Matt. TRUSTED_FIRST flag has been brought up a few times on
curl-library and we are wondering what would be the disadvantages if we
added it to our default flags? Also, the alt chain check in x509_vfy.c
isn't done if TRUSTED_FIRST and I'm having trouble grasping why that is.
Why not check for alternate chains regardless of whether or not you're
checking trusted store first?
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
