From: Bodo Moeller Date: Tue, 17 Sep 2013 07:48:23 +0000 (+0200) Subject: Move the change note for partial chain verification: this is code from X-Git-Tag: master-post-reformat~1173 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cdf84b719cdbbe0ffe08d449722864f30da0e2a7;p=oweals%2Fopenssl.git Move the change note for partial chain verification: this is code from the main branch (http://cvs.openssl.org/chngview?cn=19322) later added to the 1.0.2 branch (http://cvs.openssl.org/chngview?cn=23113), and thus not a change "between 1.0.2 and 1.1.0". --- diff --git a/CHANGES b/CHANGES index 0bf34ab783..69684fc85d 100644 --- a/CHANGES +++ b/CHANGES @@ -252,12 +252,6 @@ security. [Emilia Käsper (Google)] - *) Initial experimental support for explicitly trusted non-root CAs. - OpenSSL still tries to build a complete chain to a root but if an - intermediate CA has a trust setting included that is used. The first - setting is used: whether to trust or reject. - [Steve Henson] - *) New -verify_name option in command line utilities to set verification parameters by name. [Steve Henson] @@ -461,12 +455,12 @@ *) Fix OCSP checking. [Rob Stradling and Ben Laurie] - *) Backport support for partial chain verification: if an intermediate - certificate is explicitly trusted (using -addtrust option to x509 - utility for example) the verification is sucessful even if the chain - is not complete. - The OCSP checking fix depends on this backport. - [Steve Henson and Rob Stradling ] + *) Initial experimental support for explicitly trusted non-root CAs. + OpenSSL still tries to build a complete chain to a root but if an + intermediate CA has a trust setting included that is used. The first + setting is used: whether to trust (e.g., -addtrust option to the x509 + utility) or reject. + [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied.