From cdf84b719cdbbe0ffe08d449722864f30da0e2a7 Mon Sep 17 00:00:00 2001 From: Bodo Moeller Date: Tue, 17 Sep 2013 09:48:23 +0200 Subject: [PATCH] Move the change note for partial chain verification: this is code from the main branch (http://cvs.openssl.org/chngview?cn=19322) later added to the 1.0.2 branch (http://cvs.openssl.org/chngview?cn=23113), and thus not a change "between 1.0.2 and 1.1.0". --- CHANGES | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 0bf34ab783..69684fc85d 100644 --- a/CHANGES +++ b/CHANGES @@ -252,12 +252,6 @@ security. [Emilia Käsper (Google)] - *) Initial experimental support for explicitly trusted non-root CAs. - OpenSSL still tries to build a complete chain to a root but if an - intermediate CA has a trust setting included that is used. The first - setting is used: whether to trust or reject. - [Steve Henson] - *) New -verify_name option in command line utilities to set verification parameters by name. [Steve Henson] @@ -461,12 +455,12 @@ *) Fix OCSP checking. [Rob Stradling and Ben Laurie] - *) Backport support for partial chain verification: if an intermediate - certificate is explicitly trusted (using -addtrust option to x509 - utility for example) the verification is sucessful even if the chain - is not complete. - The OCSP checking fix depends on this backport. - [Steve Henson and Rob Stradling ] + *) Initial experimental support for explicitly trusted non-root CAs. + OpenSSL still tries to build a complete chain to a root but if an + intermediate CA has a trust setting included that is used. The first + setting is used: whether to trust (e.g., -addtrust option to the x509 + utility) or reject. + [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. -- 2.25.1