Re: Curl thinks SSL cert for code.jquery.com has expired

On Mon, 1 Jun 2020, Daniel Stenberg via curl-library wrote:

> Yes. This is a LibreSSL issue, also found in OpenSSL before 1.1.0, in all
> versions of GnuTLS and probably in some other TLS libs too.

If someone suffers from this bug with OpenSSL 1.0.2 (or something else from
before 1.1.0), it would be interesting to hear if the patch below has any
effect.

The X509_V_FLAG_TRUSTED_FIRST flag should presumably make it do right, and it
seems our added check there is what makes it not get used when it could've
saved users.

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 9e35f6ebc..3d62345f6 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3055,11 +3055,11 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
         OpenSSL do alternate chain checking by default which gives us the same
         fix without as much of a performance hit (slight), so we prefer that if
         available.

https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
      */
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
+#if defined(X509_V_FLAG_TRUSTED_FIRST)
      X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx),
                           X509_V_FLAG_TRUSTED_FIRST);
  #endif
  #ifdef X509_V_FLAG_PARTIAL_CHAIN
      if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html