#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
Reporter: kratem32 | Owner: mutt-dev
Type: enhancement | Status: closed
Priority: minor | Milestone: 1.8
Component: crypto | Version:
Resolution: fixed | Keywords: tofu
--------------------------+----------------------
Changes (by Matthias Andree <matthias.andree@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"5a04f3797f03ec46814e1ff0bd85644744a16898"
6960:5a04f3797f03]:
{{{
#!CommitTicketReference repository=""
revision="5a04f3797f03ec46814e1ff0bd85644744a16898"
Add $ssl_verify_partial_chains option for OpenSSL. (closes #3916)
The reworked OpenSSL certificate validation took away a "feature" of
the previous implementation: the ability to reject a node in the chain
and yet continue to the next node.
If this new option is set to 'yes', enables OpenSSL's
X509_V_FLAG_PARTIAL_CHAIN flag to reinstate the functionality and permit
to use a non-root certificate as the trust anchor.
This option is only available if OpenSSL offers the
X509_V_FLAG_PARTIAL_CHAIN macro, which should be the case as of 1.0.2b
or later.
Code written by Kevin McCarthy and Matthias Andree.
}}}
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:64>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
