Skip to content

Why is X509_V_FLAG_PARTIAL_CHAIN flag required, should it be default? #7871

@t8m

Description

@t8m

If you want to explicitly trust an intermediate certificate for certificate chain verification, you have to specify X509_V_FLAG_PARTIAL_CHAIN otherwise the leaf certificate is not verified. In practice any other major TLS library behaves like this by default not requiring any such extra verification flags.

What is the reason for having this as non-default behavior and should it be changed in the future major OpenSSL release?

Metadata

Metadata

Assignees

No one assigned

    Labels

    resolved: answeredThe issue contained a question which has been answeredtriaged: questionThe issue contains a question

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions