If I specify a CAfile that includes the leaf certificate and/or intermediate CA certificates, but not the root certificate, then verification fails. This doesn't seem at all right. I need to be able to trust a lower layer of the certificate hierarchy without trusting everything from the root CA down, and I can't see any security vulnerability in doing so. It also seems inefficient for OpenSSL to continue checking higher levels of the chain once it has verified that a lower level is trusted.
# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
