> By default OpenSSL only accepts connections if the full chain to > the root can be verified.
This seems to be a very good idea :-) > If only an intermediate CA in the chain is trusted, setting this > flag also allows the connection when the root CA is not trusted. Maybe I don't get your point. The server cert is signed by an intermediate CA. This is signed by (intermediate cert | root CA). Repeat the last step until you reach the root CA. The root CA is the only one you trust by definition (normally/often root CAs are installed by your distribution). If one part of this chain isn't trusted, the server cert isn't trusted as well. Why do you propose such a behavior as default behavior (What am I missing) ? Could you explain the purpose in detail, please. I can imagine some cases, where such behavior is wanted. How about a CLI option ? Tim On Wednesday 25 November 2015 19:09:44 Reiner Herrmann wrote: > If only an intermediate CA in the chain is trusted, setting this > flag also allows the connection when the root CA is not trusted. > This is also the default behavior for e.g. GnuTLS. > --- > lib/vtls/openssl.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c > index b2520e8..5a18845 100644 > --- a/lib/vtls/openssl.c > +++ b/lib/vtls/openssl.c > @@ -1971,6 +1971,13 @@ static CURLcode ossl_connect_step1(struct connectdata > *conn, int sockindex) data->set.str[STRING_SSL_CRLFILE]: "none"); > } > > + /* Allow partial trust chains, so that trusting an intermediate CA > + * is sufficient. */ > +#if defined(X509_V_FLAG_PARTIAL_CHAIN) > + X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx), > + X509_V_FLAG_PARTIAL_CHAIN); > +#endif > + > /* Try building a chain using issuers in the trusted store first to avoid > problems with server-sent legacy intermediates. > Newer versions of OpenSSL do alternate chain checking by default which ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
