classification
Title: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag
Type: enhancement Stage: resolved
Components: SSL Versions: Python 3.10
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, l0x, miss-islington
Priority: normal Keywords:

Created on 2020-06-02 19:20 by l0x, last changed 2021-04-19 12:00 by christian.heimes. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 20463 merged l0x, 2020-06-02 19:20
Messages (3)
msg370621 - (view) Author: (l0x) * Date: 2020-06-02 19:20
This simple patch exposes OpenSSL's X509_V_FLAG_PARTIAL_CHAIN if it is defined. This lets us  trust a certificate if it is signed by a certificate in the trust store, even if that CA is not a root CA. It makes it possible to trust an intermediate CA without trusting the root and all the other intermediate CAs it has signed.
msg370627 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-06-02 20:34
Thanks for the patch!

I'm still pondering if I prefer VERIFY_PARTIAL_CHAIN over VERIFY_X509_PARTIAL_CHAIN. The string X509 is not meaningful here but fits with the other, much older flags.
msg391374 - (view) Author: miss-islington (miss-islington) Date: 2021-04-19 11:51
New changeset 64d975202f7a91cb8c61a050fafb4e934fcbaa4e by l0x in branch 'master':
bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)
https://github.com/python/cpython/commit/64d975202f7a91cb8c61a050fafb4e934fcbaa4e
History
Date User Action Args
2021-04-19 12:00:33christian.heimessetstatus: open -> closed
resolution: fixed
stage: resolved
2021-04-19 11:51:22miss-islingtonsetnosy: + miss-islington
messages: + msg391374
2020-06-02 20:34:36christian.heimessetmessages: + msg370627
versions: + Python 3.10
2020-06-02 19:20:28l0xcreate