[openssl-dev] [openssl.org #2634] Cross-signed certs rejected by OpenSSL because root cert not base of chain
Matt Caswell
matt at openssl.org
Wed Feb 25 13:30:42 UTC 2015
On 25/02/15 13:18, Matt Caswell wrote:
> This is not a bug as such in OpenSSL but an addition to the existing
> verify algorithm. As such this won't be backported to released versions
> (which only receive bug fixes). It will however be in OpenSSL 1.1.0.
I should add that OpenSSL 1.0.2 does already have the
X509_V_FLAG_TRUSTED_FIRST flag (-trusted_first option to s_client) that
does a very similar job in a slightly different way. However, it is not
the default like the new commits.
Matt
More information about the openssl-dev
mailing list