Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	deraadt <>	2021-09-30 18:25:43 +0000
committer	deraadt <>	2021-09-30 18:25:43 +0000
commit	8e81e40d0c1296f1862d4a6749edd4cba53c4a23 (patch)
tree	481f5069a238e56a36cddfff8cde104613fb8108 /src/lib/libc/include/DETAILS
parent	35f8ef07a93e59616eb96dc41d4f8e6a21a6319b (diff)
download	openbsd-8e81e40d0c1296f1862d4a6749edd4cba53c4a23.tar.gz openbsd-8e81e40d0c1296f1862d4a6749edd4cba53c4a23.tar.bz2 openbsd-8e81e40d0c1296f1862d4a6749edd4cba53c4a23.zip

Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.

In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@ this is errata 6.9/018_cert

Diffstat (limited to 'src/lib/libc/include/DETAILS')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: