From 8c149cfd834748c8ee9cca4cd5b336c1829245a2 Mon Sep 17 00:00:00 2001 From: Bodo Moeller Date: Tue, 17 Sep 2013 09:55:27 +0200 Subject: [PATCH] Sync with version from master. --- CHANGES | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 943080944c..6f780077b1 100644 --- a/CHANGES +++ b/CHANGES @@ -174,12 +174,12 @@ *) Fix OCSP checking. [Rob Stradling and Ben Laurie] - *) Backport support for partial chain verification: if an intermediate - certificate is explicitly trusted (using -addtrust option to x509 - utility for example) the verification is sucessful even if the chain - is not complete. - The OCSP checking fix depends on this backport. - [Steve Henson and Rob Stradling ] + *) Initial experimental support for explicitly trusted non-root CAs. + OpenSSL still tries to build a complete chain to a root but if an + intermediate CA has a trust setting included that is used. The first + setting is used: whether to trust (e.g., -addtrust option to the x509 + utility) or reject. + [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. -- 2.25.1