From 564d88a8bd190a21b362d6da535fccf74d33394d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 2 Dec 2019 10:55:33 +0100
Subject: openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains

Closes #4655
---
 lib/vtls/openssl.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'lib/vtls')

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index fb725716c..726ff6e7c 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
                          X509_V_FLAG_TRUSTED_FIRST);
 #endif
 #ifdef X509_V_FLAG_PARTIAL_CHAIN
-    /* Have intermediate certificates in the trust store be treated as
-       trust-anchors, in the same way as self-signed root CA certificates
-       are. This allows users to verify servers using the intermediate cert
-       only, instead of needing the whole chain. */
-    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
-                         X509_V_FLAG_PARTIAL_CHAIN);
+    if(!SSL_SET_OPTION(no_partialchain)) {
+      /* Have intermediate certificates in the trust store be treated as
+         trust-anchors, in the same way as self-signed root CA certificates
+         are. This allows users to verify servers using the intermediate cert
+         only, instead of needing the whole chain. */
+      X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+                           X509_V_FLAG_PARTIAL_CHAIN);
+    }
 #endif
   }
 
-- 
cgit v1.2.3