On Fri, Nov 29, 2019 at 7:07 AM Daniel Stenberg <[email protected]> wrote: > > On Fri, 29 Nov 2019, Jeffrey Walton wrote: > ... > I take your long email was a funny way to say: "I want curl to be okay with > partial cert chains with OpenSSL since it doesn't impose any additional > security problem and other TLS libraries/backends already support that" ?
Well spoken, sir. For the common case, do nothing. Leave cURL the way it is. That captures the 95%'ers. For folks who prefer to specify a trust anchor, provide us with an option like CURLOPT_TRUSTANCHOR. Accept my list of CA(s). When cURL encounters the option, add X509_V_FLAG_PARTIAL_CHAIN to the OpenSSL context options. GnuTLS backend silently accepts CURLOPT_TRUSTANCHOR since that is default behavior. On older OpenSSL without X509_V_FLAG_PARTIAL_CHAIN, CURLOPT_TRUSTANCHOR should probably return an error. Jeff ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
