[openssl-dev] [openssl.org #3621] Support legacy CA removal, ignore unnecessary intermediate CAs in SSL/TLS handshake by default
Matt Caswell via RT
rt at openssl.org
Wed May 27 08:21:47 UTC 2015
On Wed May 27 06:41:51 2015, raysatiro at yahoo.com wrote:
> On 3/16/2015 5:45 AM, Kai Engert via RT wrote:
> > Thank you very much for your work on this issue!
> > In my testing so far, it works as requested.
> >
> > I noticed the code changes in x509_vfy.c apply fine on top of the 1.0.2
> > stable branch, and the test suite succeeeds.
> >
> > Will you consider to add this enhancement in a feature release on the
> > 1.0.2 branch?
>
> I second this. It looks like this is also discussed in bug #2634 where
> it was considered an enhancement and therefore will not be in 1.0.2. It
> seems more like a bug fix to me though. If OpenSSL can complete the
> chain it should. What would be the disadvantage of doing so?
This issue is now being treated as a bug fix and the fix was already applied to
the 1.0.2 tree a while ago (and therefore will appear in the next 1.0.2
release). A backport for 1.0.1 also exists but has not yet hit the repo.
Matt
More information about the openssl-dev
mailing list