On Monday 14 December 2015 15:50:25 Daniel Stenberg wrote: > On Wed, 25 Nov 2015, Reiner Herrmann wrote: > > By default OpenSSL only accepts connections if the full chain to the root > > can be verified. If only an intermediate CA in the chain is trusted, > > setting this flag also allows the connection when the root CA is not > > trusted. This is also the default behavior for e.g. GnuTLS. > > Hi again, let's bring this patch back to life. > > What would you say about adding a bit to the CURLOPT_SSL_OPTIONS option to > allow an application to optionally switch off "partial trust chains" ?
What about adding an option to switch on "partial trust chains" ? Than take time to discuss this issue with *real experts* and eventually change the default if you are 100% sure to do the right thing ? Tim
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
