Timeline for SSL root certificate optional?
Current License: CC BY-SA 4.0
2 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 4, 2021 at 11:57 | comment | added | dave_thompson_085 | At least for the server I get (amazon has many) it actually sends a DigicertG2-to-VerisgnG5 bridge cert (not the root) as you can see in the detailed 'showcerts' output. But if you are using an up-to-date truststore derived from Mozilla, as many Linuxes and some other systems do, that recently removed Verisign G5 and (non-ancient) OpenSSL when the supplied chain points to an untrusted root will look for a trusted root for a CA earlier in the chain and if found use it instead for the verify calback (which is what you quoted). | |
| May 4, 2021 at 0:25 | history | answered | mti2935 | CC BY-SA 4.0 |