[openssl-dev] [openssl.org #3621] Support legacy CA removal, ignore unnecessary intermediate CAs in SSL/TLS handshake by default

[Ray Satiro]

On 5/27/2015 4:21 AM, Matt Caswell via RT wrote:
> On Wed May 27 06:41:51 2015, raysatiro at yahoo.com wrote:
>> On 3/16/2015 5:45 AM, Kai Engert via RT wrote:
>>> Thank you very much for your work on this issue!
>>> In my testing so far, it works as requested.
>>>
>>> I noticed the code changes in x509_vfy.c apply fine on top of the 1.0.2
>>> stable branch, and the test suite succeeeds.
>>>
>>> Will you consider to add this enhancement in a feature release on the
>>> 1.0.2 branch?
>> I second this. It looks like this is also discussed in bug #2634 where
>> it was considered an enhancement and therefore will not be in 1.0.2. It
>> seems more like a bug fix to me though. If OpenSSL can complete the
>> chain it should. What would be the disadvantage of doing so?
> This issue is now being treated as a bug fix and the fix was already applied to
> the 1.0.2 tree a while ago (and therefore will appear in the next 1.0.2
> release). A backport for 1.0.1 also exists but has not yet hit the repo.
>
> Matt

Thanks Matt. TRUSTED_FIRST flag has been brought up a few times on 
curl-library and we are wondering what would be the disadvantages if we 
added it to our default flags? Also, the alt chain check in x509_vfy.c 
isn't done if TRUSTED_FIRST and I'm having trouble grasping why that is. 
Why not check for alternate chains regardless of whether or not you're 
checking trusted store first?