aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrançois Rigault <rigault.francois@gmail.com>2020-06-05 22:00:58 +0200
committerDaniel Stenberg <daniel@haxx.se>2020-06-06 18:01:24 +0200
commite2de2d53979ac6d93303562f5531f75944e70b8b (patch)
tree957013e2326285613eb69088e92c31c01d3eea00
parent2705830f2fa0f7831e45fd4550dbe645136ab41c (diff)
openssl: set FLAG_TRUSTED_FIRST unconditionally
On some systems, openssl 1.0.x is still the default, but it has been patched to contain all the recent security fixes. As a result of this patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be defined, while the previous behavior of openssl to not look at trusted chains first, remains. Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to probe for the behavior of openssl based on the existence ofmacros. Closes #5530
-rw-r--r--lib/vtls/openssl.c7
1 files changed, 3 insertions, 4 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 9e35f6ebc..41d948b3a 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3052,12 +3052,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
if(verifypeer) {
/* Try building a chain using issuers in the trusted store first to avoid
problems with server-sent legacy intermediates. Newer versions of
- OpenSSL do alternate chain checking by default which gives us the same
- fix without as much of a performance hit (slight), so we prefer that if
- available.
+ OpenSSL do alternate chain checking by default but we do not know how to
+ determine that in a reliable manner.
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
*/
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
+#if defined(X509_V_FLAG_TRUSTED_FIRST)
X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx),
X509_V_FLAG_TRUSTED_FIRST);
#endif