Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	deraadt <>	2021-09-30 18:26:16 +0000
committer	deraadt <>	2021-09-30 18:26:16 +0000
commit	f525bc4ca5d1ba59eeee4beb070687c8a7d0c0bb (patch)
tree	d34d2df411f2decb04a18fa324815b075648e3fd /src/lib/libcrypto/cms
parent	a1d75ef500e825541180bdb19831512601dd5a76 (diff)
download	openbsd-f525bc4ca5d1ba59eeee4beb070687c8a7d0c0bb.tar.gz openbsd-f525bc4ca5d1ba59eeee4beb070687c8a7d0c0bb.tar.bz2 openbsd-f525bc4ca5d1ba59eeee4beb070687c8a7d0c0bb.zip

Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.

In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@ this is errata 6.8/032_cert.patch

Diffstat (limited to 'src/lib/libcrypto/cms')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: