[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 81/151: openssl: set X509_V_FLAG_PARTIAL_CHAIN
From: |
gnunet |
Subject: |
[gnurl] 81/151: openssl: set X509_V_FLAG_PARTIAL_CHAIN |
Date: |
Fri, 20 Dec 2019 14:26:30 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 94f1f771586913addf5c68f9219e176036c50115
Author: Daniel Stenberg <address@hidden>
AuthorDate: Mon Dec 2 10:45:55 2019 +0100
openssl: set X509_V_FLAG_PARTIAL_CHAIN
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.
Other TLS backends already accept partial chains.
Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
---
lib/vtls/openssl.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 7c6854d1f..fb725716c 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2773,19 +2773,27 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
infof(data, " CRLfile: %s\n", ssl_crlfile);
}
- /* Try building a chain using issuers in the trusted store first to avoid
- problems with server-sent legacy intermediates. Newer versions of
- OpenSSL do alternate chain checking by default which gives us the same
- fix without as much of a performance hit (slight), so we prefer that if
- available.
- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
- */
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
if(verifypeer) {
+ /* Try building a chain using issuers in the trusted store first to avoid
+ problems with server-sent legacy intermediates. Newer versions of
+ OpenSSL do alternate chain checking by default which gives us the same
+ fix without as much of a performance hit (slight), so we prefer that if
+ available.
+ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+ */
+#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
X509_V_FLAG_TRUSTED_FIRST);
- }
#endif
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
+ /* Have intermediate certificates in the trust store be treated as
+ trust-anchors, in the same way as self-signed root CA certificates
+ are. This allows users to verify servers using the intermediate cert
+ only, instead of needing the whole chain. */
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+ X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+ }
/* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 63/151: RELEASE-NOTES: synced, (continued)
- [gnurl] 63/151: RELEASE-NOTES: synced, gnunet, 2019/12/20
- [gnurl] 59/151: doh: use dedicated probe slots, gnunet, 2019/12/20
- [gnurl] 62/151: curl: two new command line options for etags, gnunet, 2019/12/20
- [gnurl] 70/151: global_init: undo the "intialized" bump in case of failure, gnunet, 2019/12/20
- [gnurl] 67/151: sha256: bump the copyright year range, gnunet, 2019/12/20
- [gnurl] 50/151: multi: add curl_multi_wakeup(), gnunet, 2019/12/20
- [gnurl] 69/151: parsedate: offer a getdate_capped() alternative, gnunet, 2019/12/20
- [gnurl] 52/151: TLS: add BearSSL vtls implementation, gnunet, 2019/12/20
- [gnurl] 86/151: hostip4.c: bump copyright year range, gnunet, 2019/12/20
- [gnurl] 75/151: docs: add "added: 7.68.0" to the --etag-* docs, gnunet, 2019/12/20
- [gnurl] 81/151: openssl: set X509_V_FLAG_PARTIAL_CHAIN,
gnunet <=
- [gnurl] 78/151: travis: do not use OVERRIDE_CC or OVERRIDE_CXX if empty, gnunet, 2019/12/20
- [gnurl] 91/151: curl_setup: fix `CURLRES_IPV6` condition, gnunet, 2019/12/20
- [gnurl] 71/151: strerror: Add Curl_winapi_strerror for Win API specific errors, gnunet, 2019/12/20
- [gnurl] 72/151: openssl: retrieve reported LibreSSL version at runtime, gnunet, 2019/12/20
- [gnurl] 74/151: copyright: fix the year ranges for two files, gnunet, 2019/12/20
- [gnurl] 68/151: docs: add more references to curl_multi_poll, gnunet, 2019/12/20
- [gnurl] 76/151: Azure Pipelines: initial CI setup, gnunet, 2019/12/20
- [gnurl] 97/151: mailmap: Mohammad Hasbini, gnunet, 2019/12/20
- [gnurl] 106/151: tests: make it possible to set executable extensions, gnunet, 2019/12/20
- [gnurl] 92/151: etag: allow both --etag-compare and --etag-save in same cmdline, gnunet, 2019/12/20