mirror of
https://github.com/moparisthebest/curl
synced 2024-12-24 09:08:49 -05:00
openssl: set X509_V_FLAG_PARTIAL_CHAIN
Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. Other TLS backends already accept partial chains. Reported-by: Jeffrey Walton Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
This commit is contained in:
parent
7dffc2b46f
commit
94f1f77158
@ -2773,19 +2773,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
infof(data, " CRLfile: %s\n", ssl_crlfile);
|
infof(data, " CRLfile: %s\n", ssl_crlfile);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Try building a chain using issuers in the trusted store first to avoid
|
|
||||||
problems with server-sent legacy intermediates. Newer versions of
|
|
||||||
OpenSSL do alternate chain checking by default which gives us the same
|
|
||||||
fix without as much of a performance hit (slight), so we prefer that if
|
|
||||||
available.
|
|
||||||
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
|
||||||
*/
|
|
||||||
#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
|
|
||||||
if(verifypeer) {
|
if(verifypeer) {
|
||||||
|
/* Try building a chain using issuers in the trusted store first to avoid
|
||||||
|
problems with server-sent legacy intermediates. Newer versions of
|
||||||
|
OpenSSL do alternate chain checking by default which gives us the same
|
||||||
|
fix without as much of a performance hit (slight), so we prefer that if
|
||||||
|
available.
|
||||||
|
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
||||||
|
*/
|
||||||
|
#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
|
||||||
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||||
X509_V_FLAG_TRUSTED_FIRST);
|
X509_V_FLAG_TRUSTED_FIRST);
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
||||||
|
/* Have intermediate certificates in the trust store be treated as
|
||||||
|
trust-anchors, in the same way as self-signed root CA certificates
|
||||||
|
are. This allows users to verify servers using the intermediate cert
|
||||||
|
only, instead of needing the whole chain. */
|
||||||
|
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||||
|
X509_V_FLAG_PARTIAL_CHAIN);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
/* SSL always tries to verify the peer, this only says whether it should
|
/* SSL always tries to verify the peer, this only says whether it should
|
||||||
* fail to connect if the verification fails, or if it should continue
|
* fail to connect if the verification fails, or if it should continue
|
||||||
|
Loading…
Reference in New Issue
Block a user