On Mon, Aug 26, 2013 at 12:29:21PM -0400, Salz, Rich wrote:
> Suppose I have a three-length chain: rootCA, interCA, userCert.
> If I call X509_verify with depth 1 and only interCA in the trusted
> list, will that pass?
Yes, with the as yet unreleased 1.0.2 development branch. No with 1.0.1e
or earlier. With these versions the ultimately trusted certificate must
be self-signed.
The Postfix DANE implementation works around this by generating
synthetic trusted root CAs to complete chains that lead to a trusted
intermediate CA.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
