Changes between Initial Version and Version 1 of Ticket #47805, comment 5
- Timestamp:
- May 23, 2015, 12:02:29 PM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #47805, comment 5
initial v1 3 3 However, OpenSSL before 1.0.2 does not detect this situation as it should (by checking whether any of the intermediates is a trusted root CA) and always follows the chain of trust to the end. In this situation, it fails to verify the certificate, because the end of the chain of certificates is actually not trusted. OpenSSL 1.0.2 added a switch to fix that (activated by `-trusted_first` in `openssl s_client`), but this option needs to be enabled by each software separately. 4 4 5 For curl, see https://www.mail-archive.com/curl-library@cool.haxx.se/msg11483.html. 5 For curl, see https://www.mail-archive.com/curl-library@cool.haxx.se/msg11483.html (the thread seems to have ended up dead, so we should follow up). 6 6 7 For python, see http://bugs.python.org/issue23476 (will be part of 2.7.10).