From: Bodo Moeller <bodo@openssl.org>
Date: Tue, 17 Sep 2013 07:55:27 +0000 (+0200)
Subject: Sync with version from master.
X-Git-Tag: OpenSSL_1_0_2-beta1~277
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=8c149cfd834748c8ee9cca4cd5b336c1829245a2;p=oweals%2Fopenssl.git

Sync with version from master.
---

diff --git a/CHANGES b/CHANGES
index 943080944c..6f780077b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -174,12 +174,12 @@
   *) Fix OCSP checking.
      [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
 
-  *) Backport support for partial chain verification: if an intermediate
-     certificate is explicitly trusted (using -addtrust option to x509
-     utility for example) the verification is sucessful even if the chain
-     is not complete.
-     The OCSP checking fix depends on this backport.
-     [Steve Henson and Rob Stradling <rob.stradling@comodo.com>]
+  *) Initial experimental support for explicitly trusted non-root CAs. 
+     OpenSSL still tries to build a complete chain to a root but if an
+     intermediate CA has a trust setting included that is used. The first
+     setting is used: whether to trust (e.g., -addtrust option to the x509
+     utility) or reject.
+     [Steve Henson]
 
   *) Add -trusted_first option which attempts to find certificates in the
      trusted store even if an untrusted chain is also supplied.