cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: allow partial trust chains

From: Tim Ruehsen <tim.ruehsen_at_gmx.de>
Date: Mon, 14 Dec 2015 16:49:01 +0100

On Monday 14 December 2015 15:50:25 Daniel Stenberg wrote:
> On Wed, 25 Nov 2015, Reiner Herrmann wrote:
> > By default OpenSSL only accepts connections if the full chain to the root
> > can be verified. If only an intermediate CA in the chain is trusted,
> > setting this flag also allows the connection when the root CA is not
> > trusted. This is also the default behavior for e.g. GnuTLS.
>
> Hi again, let's bring this patch back to life.
>
> What would you say about adding a bit to the CURLOPT_SSL_OPTIONS option to
> allow an application to optionally switch off "partial trust chains" ?

What about adding an option to switch on "partial trust chains" ?

Than take time to discuss this issue with *real experts* and eventually change
the default if you are 100% sure to do the right thing ?

Tim

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/pgp-signature attachment: This is a digitally signed message part.

Received on 2015-12-14

This message: [ Message body ]
Next message: John T Kohl: "hostname matching failure with multiple SAN DNS names"
Previous message: Daniel Stenberg: "Re: [PATCH] openssl: allow partial trust chains"
In reply to: Daniel Stenberg: "Re: [PATCH] openssl: allow partial trust chains"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]