From e2de2d53979ac6d93303562f5531f75944e70b8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Rigault?= Date: Fri, 5 Jun 2020 22:00:58 +0200 Subject: openssl: set FLAG_TRUSTED_FIRST unconditionally On some systems, openssl 1.0.x is still the default, but it has been patched to contain all the recent security fixes. As a result of this patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be defined, while the previous behavior of openssl to not look at trusted chains first, remains. Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to probe for the behavior of openssl based on the existence ofmacros. Closes #5530 --- lib/vtls/openssl.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 9e35f6ebc..41d948b3a 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3052,12 +3052,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) if(verifypeer) { /* Try building a chain using issuers in the trusted store first to avoid problems with server-sent legacy intermediates. Newer versions of - OpenSSL do alternate chain checking by default which gives us the same - fix without as much of a performance hit (slight), so we prefer that if - available. + OpenSSL do alternate chain checking by default but we do not know how to + determine that in a reliable manner. https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest */ -#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS) +#if defined(X509_V_FLAG_TRUSTED_FIRST) X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx), X509_V_FLAG_TRUSTED_FIRST); #endif -- cgit v1.2.3