> On Dec 11, 2017, at 6:27 PM, Michael Richardson <mcr@xxxxxxxxxxxx> wrote: > > I believe that I ran into a similar problem where by I could not pin > ('trust') an intermediate certificate (which was not self-signed) for the > purposes of verifying a CMS/PKCS7 object. > > I don't have a solution, and I believe that work is required. As I already mentioned a few times, the new X509_V_FLAG_PARTIAL_CHAIN flag added in 1.0.2 addresses this issue. To get pinning provide a trust store with just the pinned issuer CA, and X509_V_FLAG_PARTIAL_CHAIN set. With OpenSSL 1.1.0 one can also implement pinning by computing a TLSA record for the pinned CA, and using OpenSSL's DANE support. OpenSSL does not do the DNS lookups to find TLSA records, that's up to the application, so the TLSA records can be entirely synthetic (e.g. derived from suitable hashes of a pinned CA cert or its public key). -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users