aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2015-05-30 01:29:48 -0400
committerJay Satiro <raysatiro@yahoo.com>2015-06-07 23:33:32 -0400
commitb8673bb9f05013eef1ae413e15ac995e9d215641 (patch)
treec10e1bbccc7f637641cad560388a2072de20899b /lib
parent8f4791440a940cbc7bd5a911ae5344b117669dcc (diff)
openssl: Fix verification of server-sent legacy intermediates
- Try building a chain using issuers in the trusted store first to avoid problems with server-sent legacy intermediates. Prior to this change server-sent legacy intermediates with missing legacy issuers would cause verification to fail even if the client's CA bundle contained a valid replacement for the intermediate and an alternate chain could be constructed that would verify successfully. https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
Diffstat (limited to 'lib')
-rw-r--r--lib/vtls/openssl.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 6378e10ff..1df32558b 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2013,6 +2013,20 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
data->set.str[STRING_SSL_CRLFILE]: "none");
}
+ /* Try building a chain using issuers in the trusted store first to avoid
+ problems with server-sent legacy intermediates.
+ Newer versions of OpenSSL do alternate chain checking by default which
+ gives us the same fix without as much of a performance hit (slight), so we
+ prefer that if available.
+ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+ */
+#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
+ if(data->set.ssl.verifypeer) {
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
+ X509_V_FLAG_TRUSTED_FIRST);
+ }
+#endif
+
/* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue
* anyway. In the latter case the result of the verification is checked with