[openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain
William M Edmonds via RT
rt at openssl.org
Tue Aug 9 01:45:24 UTC 2016
If I specify a CAfile that includes the leaf certificate and/or
intermediate CA certificates, but not the root certificate, then
verification fails. This doesn't seem at all right. I need to be able to
trust a lower layer of the certificate hierarchy without trusting
everything from the root CA down, and I can't see any security
vulnerability in doing so. It also seems inefficient for OpenSSL to
continue checking higher levels of the chain once it has verified that a
lower level is trusted.
# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list