On 5/27/2015 4:21 AM, Matt Caswell via RT wrote: > On Wed May 27 06:41:51 2015, [email protected] wrote: >> On 3/16/2015 5:45 AM, Kai Engert via RT wrote: >>> Thank you very much for your work on this issue! >>> In my testing so far, it works as requested. >>> >>> I noticed the code changes in x509_vfy.c apply fine on top of the 1.0.2 >>> stable branch, and the test suite succeeeds. >>> >>> Will you consider to add this enhancement in a feature release on the >>> 1.0.2 branch? >> I second this. It looks like this is also discussed in bug #2634 where >> it was considered an enhancement and therefore will not be in 1.0.2. It >> seems more like a bug fix to me though. If OpenSSL can complete the >> chain it should. What would be the disadvantage of doing so? > This issue is now being treated as a bug fix and the fix was already applied > to > the 1.0.2 tree a while ago (and therefore will appear in the next 1.0.2 > release). A backport for 1.0.1 also exists but has not yet hit the repo. > > Matt
Thanks Matt. TRUSTED_FIRST flag has been brought up a few times on curl-library and we are wondering what would be the disadvantages if we added it to our default flags? Also, the alt chain check in x509_vfy.c isn't done if TRUSTED_FIRST and I'm having trouble grasping why that is. Why not check for alternate chains regardless of whether or not you're checking trusted store first? _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
