S server cmd #646
S server cmd #646
Conversation
| { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \ | ||
| "Enable checking of the root CA self signed certificate signature"}, \ | ||
| { "trusted_first", OPT_V_TRUSTED_FIRST, '-', \ | ||
| "Use locally-trusted CA's first in building chain (enabled by default)" }, \ |
There was a problem hiding this comment.
Has this changed? Last time I checked trusted_first was not on by default (although I know Viktor has been working in this area so perhaps that is no longer the case).
There was a problem hiding this comment.
man verify(1) says this:
-trusted_first
When constructing the certificate chain, use the trusted certificates specified via -CAfile, -CApath or -trusted before any certificates specified
via -untrusted. This can be useful in environments with Bridge or Cross-Certified CAs. As of OpenSSL 1.1.0 this option is on by default and cannot
be disabled.
Hence I thought it is already implemented it that way. Not removed by self because I have not tested myself :)
If it is always enabled, probably the option can be removed. Thanks.
There was a problem hiding this comment.
Ok. Probably Viktor changed it. I would keep the option though for compatibility reasons (e.g. if scripts etc expect it)
|
General comment: we do not accept merge commits. Please can you squash all of this into a single commit? |
|
@mattcaswell, I am trying to figure out how to squash into a single commit as you suggested, never done this before. Will commit after this change. |
* added missing help option messages * ecdh_single option is removed as it is a no-op and not an option supported in earlier versions * ssl_ctx_security_debug() was invoked before ctx check for NULL * trusted_first option can be removed, as it is always enabled in 1.1. But not removed the option, require confirmation.
|
@mattcaswell, squashed merge commits. Please have a look. Thanks. |
|
Looks good. +1 |
|
+1. merged at 32eabe3 thanks! |
supported in earlier versions
But not removed the option, require confirmation.