diff options
author | Bodo Moeller <bodo@openssl.org> | 2013-09-17 09:48:23 +0200 |
---|---|---|
committer | Bodo Moeller <bodo@openssl.org> | 2013-09-17 09:48:23 +0200 |
commit | cdf84b719cdbbe0ffe08d449722864f30da0e2a7 (patch) | |
tree | 53a81b3bf10054e00e5cf8e33a04e979e1eddd2c /CHANGES | |
parent | 92acab0b6a540fb2990ced45815f56072ef66d20 (diff) | |
download | openssl-cdf84b719cdbbe0ffe08d449722864f30da0e2a7.zip openssl-cdf84b719cdbbe0ffe08d449722864f30da0e2a7.tar.gz openssl-cdf84b719cdbbe0ffe08d449722864f30da0e2a7.tar.bz2 |
Move the change note for partial chain verification: this is code from
the main branch (http://cvs.openssl.org/chngview?cn=19322) later added
to the 1.0.2 branch (http://cvs.openssl.org/chngview?cn=23113), and
thus not a change "between 1.0.2 and 1.1.0".
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 18 |
1 files changed, 6 insertions, 12 deletions
@@ -252,12 +252,6 @@ security. [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)] - *) Initial experimental support for explicitly trusted non-root CAs. - OpenSSL still tries to build a complete chain to a root but if an - intermediate CA has a trust setting included that is used. The first - setting is used: whether to trust or reject. - [Steve Henson] - *) New -verify_name option in command line utilities to set verification parameters by name. [Steve Henson] @@ -461,12 +455,12 @@ *) Fix OCSP checking. [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] - *) Backport support for partial chain verification: if an intermediate - certificate is explicitly trusted (using -addtrust option to x509 - utility for example) the verification is sucessful even if the chain - is not complete. - The OCSP checking fix depends on this backport. - [Steve Henson and Rob Stradling <rob.stradling@comodo.com>] + *) Initial experimental support for explicitly trusted non-root CAs. + OpenSSL still tries to build a complete chain to a root but if an + intermediate CA has a trust setting included that is used. The first + setting is used: whether to trust (e.g., -addtrust option to the x509 + utility) or reject. + [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. |