On Mon, 22 Jun 2015, Doug Leavitt wrote: [...]
The code change itself is simple. At a minimum it is as simple as adding: #ifdef X509_V_FLAG_PARTIAL_CHAIN
Perhaps with a doc patch too, since this would make OpenLDAP one of (apparently very) few OpenSSL-linked applications that honors partial chains.
OpenSSL by default ignores trust-list entries that are not for root CAs. Adding just the "mysystem" certificate has no effect. With this change, you can add the "mysystem" certificate and that will cause OpenSSL to accept this certificate, even though the trust list does not include the CA's root certificate.
The comment "even though the trust list does not include the CA's root certificate" seems a bit odd to me:
An argument that we take today's behavior (require rootCA; mysystemA[rootCA] or mysystemB[rootCA] are both OK) and make it more strict with "require rootCA AND mysystemA[rootCA]" intuitively sounds like an increase in security...if you have a client environment controlled enough to distribute ldap.example.com's material along with your CA store, go for it.
But the concept of "require ldap.example.com" while (optionally?) throwing out the existing rootCA (and presumably its associated CRL/OCSP/etc.) checking sounds like it could introduce risk. So is ldap.example.com truly an "add" to the chain, or is the rootCA not included (i.e. removed)?