On Wed, Jan 24, 2018 at 10:20 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 23, 2018, at 1:07 PM, Isaac Boukris <iboukris@gmail.com> wrote:
Any thoughts on this? I can collect server debug of this flow, before and after the patches if it helps.
I think it looks good. I'll have to go over it in detail, which is why it's taking so long.
It's important for me to understand the consequences of changing core behaviour...
Thank you for the initial feedback. On a related note, I'd like to mention that I also thought of proposing a new directive like 'untrusted_ca_file', which we'd load with 'SSL_CTX_add_extra_chain_cert()' and only use it to complete the chain (if the client didn't send it), like 'openssl verify -untrusted' option, but I can't think of a practical benefit over just adding it to 'ca_file' as trusted. Regards.