cURL / Mailing Lists / curl-library / Single Mail


[PATCH] openssl: allow partial trust chains

From: Reiner Herrmann <>
Date: Wed, 25 Nov 2015 19:09:44 +0100

By default OpenSSL only accepts connections if the full chain to
the root can be verified.
If only an intermediate CA in the chain is trusted, setting this
flag also allows the connection when the root CA is not trusted.
This is also the default behavior for e.g. GnuTLS.

 lib/vtls/openssl.c | 7 +++++++
 1 file changed, 7 insertions(+)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index b2520e8..5a18845 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1971,6 +1971,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
           data->set.str[STRING_SSL_CRLFILE]: "none");
+  /* Allow partial trust chains, so that trusting an intermediate CA
+   * is sufficient. */
+#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+  X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
+                       X509_V_FLAG_PARTIAL_CHAIN);
   /* Try building a chain using issuers in the trusted store first to avoid
   problems with server-sent legacy intermediates.
   Newer versions of OpenSSL do alternate chain checking by default which
List admin:
Received on 2015-11-25