-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S server cmd #646
S server cmd #646
Conversation
{ "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \ | ||
"Enable checking of the root CA self signed certificate signature"}, \ | ||
{ "trusted_first", OPT_V_TRUSTED_FIRST, '-', \ | ||
"Use locally-trusted CA's first in building chain (enabled by default)" }, \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Has this changed? Last time I checked trusted_first was not on by default (although I know Viktor has been working in this area so perhaps that is no longer the case).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
man verify(1) says this:
-trusted_first
When constructing the certificate chain, use the trusted certificates specified via -CAfile, -CApath or -trusted before any certificates specified
via -untrusted. This can be useful in environments with Bridge or Cross-Certified CAs. As of OpenSSL 1.1.0 this option is on by default and cannot
be disabled.
Hence I thought it is already implemented it that way. Not removed by self because I have not tested myself :)
If it is always enabled, probably the option can be removed. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. Probably Viktor changed it. I would keep the option though for compatibility reasons (e.g. if scripts etc expect it)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed.
General comment: we do not accept merge commits. Please can you squash all of this into a single commit? |
@mattcaswell, I am trying to figure out how to squash into a single commit as you suggested, never done this before. Will commit after this change. |
* added missing help option messages * ecdh_single option is removed as it is a no-op and not an option supported in earlier versions * ssl_ctx_security_debug() was invoked before ctx check for NULL * trusted_first option can be removed, as it is always enabled in 1.1. But not removed the option, require confirmation.
@mattcaswell, squashed merge commits. Please have a look. Thanks. |
Looks good. +1 |
+1. merged at 32eabe3 thanks! |
supported in earlier versions
But not removed the option, require confirmation.