CVSROOT: /cvs
Module name: src
Changes by: js...@cvs.openbsd.org 2021/09/30 12:23:46
Modified files:
lib/libcrypto/x509: x509_vpm.c
Log message:
Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
In order to work around the expired DST Root CA X3 certficiate, enable
X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
default chain provided by Let's Encrypt will stop at the ISRG Root X1
intermediate, rather than following the DST Root CA X3 intermediate.
Note that the new verifier does not suffer from this issue, so only a
small number of things will hit this code path.
ok millert@ robert@ tb@
