1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-11 22:18:00 -05:00

openssl: set X509_V_FLAG_PARTIAL_CHAIN

Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.

Other TLS backends already accept partial chains.

Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
This commit is contained in:
Daniel Stenberg 2019-12-02 10:45:55 +01:00
parent 7dffc2b46f
commit 94f1f77158
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -2773,6 +2773,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
infof(data, " CRLfile: %s\n", ssl_crlfile); infof(data, " CRLfile: %s\n", ssl_crlfile);
} }
if(verifypeer) {
/* Try building a chain using issuers in the trusted store first to avoid /* Try building a chain using issuers in the trusted store first to avoid
problems with server-sent legacy intermediates. Newer versions of problems with server-sent legacy intermediates. Newer versions of
OpenSSL do alternate chain checking by default which gives us the same OpenSSL do alternate chain checking by default which gives us the same
@ -2781,11 +2782,18 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
*/ */
#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS) #if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
if(verifypeer) {
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
X509_V_FLAG_TRUSTED_FIRST); X509_V_FLAG_TRUSTED_FIRST);
}
#endif #endif
#ifdef X509_V_FLAG_PARTIAL_CHAIN
/* Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain. */
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
X509_V_FLAG_PARTIAL_CHAIN);
#endif
}
/* SSL always tries to verify the peer, this only says whether it should /* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue * fail to connect if the verification fails, or if it should continue