On Mon, 22 Jun 2015, Doug Leavitt wrote:
[...]
The code change itself is simple. At a minimum it is as simple as adding:
#ifdef X509_V_FLAG_PARTIAL_CHAIN
Perhaps with a doc patch too, since this would make OpenLDAP one of
(apparently very) few OpenSSL-linked applications that honors partial
chains.
OpenSSL by default ignores trust-list entries that are not for root CAs.
Adding just the "mysystem" certificate has no effect. With this change,
you can add the "mysystem" certificate and that will cause OpenSSL to
accept this certificate, even though the trust list does not include the
CA's root certificate.
The comment "even though the trust list does not include the CA's root
certificate" seems a bit odd to me:
An argument that we take today's behavior (require rootCA;
mysystemA[rootCA] or mysystemB[rootCA] are both OK) and make it more
strict with "require rootCA AND mysystemA[rootCA]" intuitively sounds like
an increase in security...if you have a client environment controlled
enough to distribute ldap.example.com's material along with your CA store,
go for it.
But the concept of "require ldap.example.com" while (optionally?) throwing
out the existing rootCA (and presumably its associated CRL/OCSP/etc.)
checking sounds like it could introduce risk. So is ldap.example.com truly
an "add" to the chain, or is the rootCA not included (i.e. removed)?
