cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] openssl: allow partial trust chains

From: Reiner Herrmann <>
Date: Thu, 26 Nov 2015 10:52:58 +0100

On Thu, Nov 26, 2015 at 10:25:31AM +0100, Tim Ruehsen wrote:
> > By default OpenSSL only accepts connections if the full chain to
> > the root can be verified.
> This seems to be a very good idea :-)
> > If only an intermediate CA in the chain is trusted, setting this
> > flag also allows the connection when the root CA is not trusted.
> Maybe I don't get your point.
> The server cert is signed by an intermediate CA. This is signed by
> (intermediate cert | root CA). Repeat the last step until you reach the root
> CA.
> The root CA is the only one you trust by definition (normally/often root CAs
> are installed by your distribution).
> If one part of this chain isn't trusted, the server cert isn't trusted as
> well.
> Why do you propose such a behavior as default behavior (What am I missing) ?
> Could you explain the purpose in detail, please.

No, there can be cases where you only want to trust as few CAs as
possible. So for example you trust the letsencrypt CA, but don't want to
have the root CA which signed their cert in your trust store.
If there is a valid chain up to an intermediate CA cert which you already
explicitely trust, then there is (in my oponion) no need to require a
full chain up to the root (which would force you to trust the root CA

> I can imagine some cases, where such behavior is wanted. How about a CLI
> option ?

I think it should be a default, because if you explicitely put an
intermediate CA cert into your trust store, your intention is probably
that a chain up to this CA is sufficient.
But right now this is not possible (with the OpenSSL backend).

As mentioned in the patch, this is already the default behavior for the
GnuTLS backend.

Kind regards,

List admin:

Received on 2015-11-26