[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca

Viktor Dukhovni openssl-users at dukhovni.org
Fri Mar 11 00:18:27 UTC 2016

On Fri, Mar 11, 2016 at 12:56:04AM +0100, Jakob Bohm wrote:

> Your reply below is a perfect illustration of the expected confusion.

Sorry, I disagree.  The 1.1.0 changes fix various shortcomings that
may well also be addressed in a future 1.0.2 update.

The net effect is more consistent behaviour that is the same whether
intermediate certificates are found in the trust-store or obtained
from the peer.  The few applications that enable partial chain
support and the likely zero users who've created "decorated"
intermediate certs in the OpenSSL trust store might notice some

If you strongly feel that the behaviour should be the same for all
users, that sounds like support for backporting the changes, which
is something I will be proposing soon.


More information about the openssl-users mailing list