Move the change note for partial chain verification: this is code from

the main branch (http://cvs.openssl.org/chngview?cn=19322) later added to the 1.0.2 branch (http://cvs.openssl.org/chngview?cn=23113), and thus not a change "between 1.0.2 and 1.1.0".
2025-01-18 13:44:20 +08:00 · 2013-09-17 09:48:23 +02:00 · 2013-09-17 09:48:23 +02:00 · cdf84b719c
commit cdf84b719c
parent 92acab0b6a
1 changed files with 6 additions and 12 deletions
--- a/18
+++ b/18
@ -252,12 +252,6 @@
     security.
     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]

-  *) Initial experimental support for explicitly trusted non-root CAs. 
-     OpenSSL still tries to build a complete chain to a root but if an
-     intermediate CA has a trust setting included that is used. The first
-     setting is used: whether to trust or reject.
-     [Steve Henson]
-
  *) New -verify_name option in command line utilities to set verification
     parameters by name.
     [Steve Henson]
@ -461,12 +455,12 @@
  *) Fix OCSP checking.
     [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]

-  *) Backport support for partial chain verification: if an intermediate
-     certificate is explicitly trusted (using -addtrust option to x509
-     utility for example) the verification is sucessful even if the chain
-     is not complete.
-     The OCSP checking fix depends on this backport.
-     [Steve Henson and Rob Stradling <rob.stradling@comodo.com>]
+  *) Initial experimental support for explicitly trusted non-root CAs. 
+     OpenSSL still tries to build a complete chain to a root but if an
+     intermediate CA has a trust setting included that is used. The first
+     setting is used: whether to trust (e.g., -addtrust option to the x509
+     utility) or reject.
+     [Steve Henson]

  *) Add -trusted_first option which attempts to find certificates in the
     trusted store even if an untrusted chain is also supplied.