diff options
author | Daniel Stenberg <daniel@haxx.se> | 2020-05-11 23:00:31 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2020-05-13 16:39:36 +0200 |
commit | 81a54b12c631e8126e3eb484c74040b991e78f0c (patch) | |
tree | cb52f0828b22f8eb4db76a282d153a5e5e3c1f91 /lib | |
parent | 9242bee3fee41b482628202a8034dff6937da157 (diff) |
OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
Diffstat (limited to 'lib')
-rw-r--r-- | lib/vtls/openssl.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 6f6b604c2..a147e9980 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2973,11 +2973,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) X509_V_FLAG_TRUSTED_FIRST); #endif #ifdef X509_V_FLAG_PARTIAL_CHAIN - if(!SSL_SET_OPTION(no_partialchain)) { + if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) { /* Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert - only, instead of needing the whole chain. */ + only, instead of needing the whole chain. + + Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we + cannot do partial chains with CRL check. + */ X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx), X509_V_FLAG_PARTIAL_CHAIN); } |