Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	jsing <>	2021-09-30 18:23:46 +0000
committer	jsing <>	2021-09-30 18:23:46 +0000
commit	df605a0a04ab9d184a3ac9938209976a2a2c4c81 (patch)
tree	de904f0ebe759b5ef03bd034b74864c688b00c8e /src/regress/lib/libcrypto/x509/callback.c
parent	e336219a8430405d08b750df18341f125902b52f (diff)
download	openbsd-df605a0a04ab9d184a3ac9938209976a2a2c4c81.tar.gz openbsd-df605a0a04ab9d184a3ac9938209976a2a2c4c81.tar.bz2 openbsd-df605a0a04ab9d184a3ac9938209976a2a2c4c81.zip

Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.

In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@

Diffstat (limited to 'src/regress/lib/libcrypto/x509/callback.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: