diff options
| -rw-r--r-- | CHANGES | 18 |
1 files changed, 6 insertions, 12 deletions
@@ -252,12 +252,6 @@ security. [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)] - *) Initial experimental support for explicitly trusted non-root CAs. - OpenSSL still tries to build a complete chain to a root but if an - intermediate CA has a trust setting included that is used. The first - setting is used: whether to trust or reject. - [Steve Henson] - *) New -verify_name option in command line utilities to set verification parameters by name. [Steve Henson] @@ -461,12 +455,12 @@ *) Fix OCSP checking. [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] - *) Backport support for partial chain verification: if an intermediate - certificate is explicitly trusted (using -addtrust option to x509 - utility for example) the verification is sucessful even if the chain - is not complete. - The OCSP checking fix depends on this backport. - [Steve Henson and Rob Stradling <rob.stradling@comodo.com>] + *) Initial experimental support for explicitly trusted non-root CAs. + OpenSSL still tries to build a complete chain to a root but if an + intermediate CA has a trust setting included that is used. The first + setting is used: whether to trust (e.g., -addtrust option to the x509 + utility) or reject. + [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. |