{"author":"Rod Widdowson","author_email":"rdw@steadingsoftware.com","author_time":1747854636,"commit_time":1749941708,"committer":"Jay Satiro","committer_email":"raysatiro@yahoo.com","hash":"df1ff17f88a623b12c13ffd893ca4ac47c5f04d1","message":"schannel: allow partial chains for manual peer verification\n\n- Align --cacert behaviour with OpenSSL and LibreSSL.\n\nThis changes the default behavior of Schannel manual certificate\nverification, which is used when the user provides their own CA\ncertificates for verification, to accept partial chains. In other words,\nthe user may provide an intermediate certificate without having to\nprovide the root CA.\n\nWin8/Server2012 widened the PKIX chain traversal API to allow\ncertificate traversal to terminate at an intermediate.\n\nThis behaviour (terminate at the fist matching intermediate) is the\ndefault for LibreSSL and OpenSSL (with OpenSSL allowing control via\nCURLSSLOPT_NO_PARTIALCHAIN).\n\nThis change uses the new API if it is available, and also allows the\nbehaviour to revert legacy if CURLSSLOPT_NO_PARTIALCHAIN is present.\n\nCloses https://github.com/curl/curl/pull/17418\n","parents":["49a0c27bbc1db80ce2353461934362480a4bf340"],"tree_hash":"80c20ce106cc4a118bbd31fe8aed482f8c1ff9ee"}