curl-library
[PATCH] openssl: allow partial trust chains
From: Reiner Herrmann <reiner_at_reiner-h.de>
Date: Wed, 25 Nov 2015 19:09:44 +0100
Date: Wed, 25 Nov 2015 19:09:44 +0100
By default OpenSSL only accepts connections if the full chain to
the root can be verified.
If only an intermediate CA in the chain is trusted, setting this
flag also allows the connection when the root CA is not trusted.
This is also the default behavior for e.g. GnuTLS.
--- lib/vtls/openssl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index b2520e8..5a18845 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1971,6 +1971,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) data->set.str[STRING_SSL_CRLFILE]: "none"); } + /* Allow partial trust chains, so that trusting an intermediate CA + * is sufficient. */ +#if defined(X509_V_FLAG_PARTIAL_CHAIN) + X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx), + X509_V_FLAG_PARTIAL_CHAIN); +#endif + /* Try building a chain using issuers in the trusted store first to avoid problems with server-sent legacy intermediates. Newer versions of OpenSSL do alternate chain checking by default which -- 2.6.2 ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2015-11-25