Experimental support for partial chain verification: if an intermediate

certificate is explicitly trusted (using -addtrust option to x509 utility for example) the verification is sucessful even if the chain is not complete.
author: Dr. Stephen Henson <steve@openssl.org> 2010-02-25 00:17:22 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-02-25 00:17:22 +0000
commit: fbd2164044f92383955a801ad1b2857d71e83f27 (patch)
tree: dfd027788b737a91b8103a1b5ae751e695c5d014 /CHANGES
parent: 04e4b8272614ab72d313af8d8e6488f8575e175e (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index ec2ee0d17d..7aae336e37 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,16 @@
 
  Changes between 1.0.0 and 1.1.0  [xx XXX xxxx]
 
+  *) Initial experimental support for explicitly trusted non-root CAs. 
+     OpenSSL still tries to build a complete chain to a root but if an
+     intermediate CA has a trust setting included that is used. The first
+     setting is used: whether to trust or reject.
+     [Steve Henson]
+
+  *) New -verify_name option in command line utilities to set verification
+     parameters by name.
+     [Steve Henson]
+
   *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
      Add CMAC pkey methods.
      [Steve Henson]
author	Dr. Stephen Henson <steve@openssl.org>	2010-02-25 00:17:22 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-02-25 00:17:22 +0000
commit	fbd2164044f92383955a801ad1b2857d71e83f27 (patch)
tree	dfd027788b737a91b8103a1b5ae751e695c5d014 /CHANGES
parent	04e4b8272614ab72d313af8d8e6488f8575e175e (diff)