• Matthias Andree's avatar
    Add $ssl_verify_partial_chains option for OpenSSL. (closes #3916) · f4fbf0bb
    Matthias Andree authored
    The reworked OpenSSL certificate validation took away a "feature" of
    the previous implementation: the ability to reject a node in the chain
    and yet continue to the next node.
    
    If this new option is set to 'yes', enables OpenSSL's
    X509_V_FLAG_PARTIAL_CHAIN flag to reinstate the functionality and permit
    to use a non-root certificate as the trust anchor.
    
    This option is only available if OpenSSL offers the
    X509_V_FLAG_PARTIAL_CHAIN macro, which should be the case as of 1.0.2b
    or later.
    
    Code written by Kevin McCarthy and Matthias Andree.
    f4fbf0bb
init.h 160 KB