mirror of
https://github.com/moparisthebest/curl
synced 2024-10-31 15:45:12 -04:00
openssl: Fix verification of server-sent legacy intermediates
- Try building a chain using issuers in the trusted store first to avoid problems with server-sent legacy intermediates. Prior to this change server-sent legacy intermediates with missing legacy issuers would cause verification to fail even if the client's CA bundle contained a valid replacement for the intermediate and an alternate chain could be constructed that would verify successfully. https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
This commit is contained in:
parent
8f4791440a
commit
b8673bb9f0
@ -2013,6 +2013,20 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
data->set.str[STRING_SSL_CRLFILE]: "none");
|
||||
}
|
||||
|
||||
/* Try building a chain using issuers in the trusted store first to avoid
|
||||
problems with server-sent legacy intermediates.
|
||||
Newer versions of OpenSSL do alternate chain checking by default which
|
||||
gives us the same fix without as much of a performance hit (slight), so we
|
||||
prefer that if available.
|
||||
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
||||
*/
|
||||
#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
|
||||
if(data->set.ssl.verifypeer) {
|
||||
X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
|
||||
X509_V_FLAG_TRUSTED_FIRST);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* SSL always tries to verify the peer, this only says whether it should
|
||||
* fail to connect if the verification fails, or if it should continue
|
||||
* anyway. In the latter case the result of the verification is checked with
|
||||
|
Loading…
Reference in New Issue
Block a user