cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] openssl: allow partial trust chains

From: Tim Ruehsen <>
Date: Thu, 26 Nov 2015 12:02:15 +0100

On Thursday 26 November 2015 10:43:07 Petr Pisar wrote:
> On Thu, Nov 26, 2015 at 10:25:31AM +0100, Tim Ruehsen wrote:
> > > If only an intermediate CA in the chain is trusted, setting this
> > > flag also allows the connection when the root CA is not trusted.
> >
> > Maybe I don't get your point.
> > The server cert is signed by an intermediate CA. This is signed by
> > (intermediate cert | root CA). Repeat the last step until you reach the
> > root CA.
> > The root CA is the only one you trust by definition (normally/often root
> > CAs are installed by your distribution).
> I must disagree. For example, many authorities (as a company) have one root
> authority and then several subordinated authorities with different policies.
> For example, one is compliant to government requirements, while the other
> one issues cheaper certificates with less detailed validation. Then I want
> to trust only certificates issued by the one intermediate authority. Adding
> the one subauthority to trusted set and removing the root certificate from
> the set solves the issue for me. Especially when common TLS libraries
> cannot discriminate on certificate policy OIDs.

I just don't like this behavior being the default.
I have nothing against some kind of configuration / option.


List admin:
Received on 2015-11-26