> On Dec 11, 2017, at 7:41 PM, Dr. Pala <madwolf@xxxxxxxxxx> wrote: > > Does it matter that we are not in the TLS case? No, the issue is not TLS-specific. > IMHO, the correct (or, better, the expected) behavior (from a developer's standpoint) would be to trust keys in the trusted certificates list, no matter if they are in the form of a Self-Signed or non-Self-Signed certificate - after all, it is a Trust Anchor --> just a Public Key :D Intermediate CAs in the trust store were historically used just to augment the peer's chain in case they were left out, and not necessarily to signal independent trust in the intermediate CA. The new flag makes it possible to indicate that you fully trust also the intermediate CAs in the trust store. With OpenSSL 1.1.0 or later, you can also decorate intermediate CAs with explicit auxiliary trust EKUs and instead of storing a regular X509 "CERTIFICATE" store a "TRUSTED CERTIFICATE". Such intermediate CAs will work also for applications that don't set X509_V_FLAG_PARTIAL_CHAIN. That, together with the change to default X509_V_FLAG_TRUSTED_FIRST, makes it possible to deploy trusted intermediates with no application code changes. Which reminds me, with OpenSSL 1.0.2 you should also set X509_V_FLAG_TRUSTED_FIRST. We did not backport that default change to the stable 1.0.2 release out of caution, but it is I think a more sensible default behaviour. -- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
