Commit cdf84b71 authored by Bodo Moeller's avatar Bodo Moeller
Browse files

Move the change note for partial chain verification: this is code from 

the main branch (http://cvs.openssl.org/chngview?cn=19322) later added
to the 1.0.2 branch (http://cvs.openssl.org/chngview?cn=23113), and
thus not a change "between 1.0.2 and 1.1.0".
parent 92acab0b

CHANGES

+6 −12
Original line number Diff line number Diff line
@@ -252,12 +252,6 @@ 
     security.

     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]



  *) Initial experimental support for explicitly trusted non-root CAs. 

     OpenSSL still tries to build a complete chain to a root but if an

     intermediate CA has a trust setting included that is used. The first

     setting is used: whether to trust or reject.

     [Steve Henson]



  *) New -verify_name option in command line utilities to set verification

     parameters by name.

     [Steve Henson]
@@ -461,12 +455,12 @@ 
  *) Fix OCSP checking.

     [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]



  *) Backport support for partial chain verification: if an intermediate

     certificate is explicitly trusted (using -addtrust option to x509

     utility for example) the verification is sucessful even if the chain

     is not complete.

     The OCSP checking fix depends on this backport.

     [Steve Henson and Rob Stradling <rob.stradling@comodo.com>]

  *) Initial experimental support for explicitly trusted non-root CAs. 

     OpenSSL still tries to build a complete chain to a root but if an

     intermediate CA has a trust setting included that is used. The first

     setting is used: whether to trust (e.g., -addtrust option to the x509

     utility) or reject.

     [Steve Henson]



  *) Add -trusted_first option which attempts to find certificates in the

     trusted store even if an untrusted chain is also supplied.