CVSROOT: /cvs
Module name: src
Changes by: b...@cvs.openbsd.org 2022/06/25 14:01:43
Modified files:
lib/libcrypto/x509: x509_verify.c
regress/lib/libcrypto/x509: Makefile
Added files:
regress/lib/libcrypto/x509: expirecallback.c
Log message:
Move leaf certificate checks to the last thing after chain validation.
While seemingly illogical and not what is done in Go's validator, this
mimics OpenSSL's behavior so that callback overrides for the expiry of
a certificate will not "sticky" override a failure to build a chain.
ok jsing@
