enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)

author: Benjamin Peterson <benjamin@python.org> 2015-03-04 22:11:12 -0500
committer: Benjamin Peterson <benjamin@python.org> 2015-03-04 22:11:12 -0500
commit: b1ebba5bd569ede9b6f9573d6618fb3a6abddae5 (patch)
tree: 5dbb4bf92d461244db3722469bc6eb45df7534d5 /Modules/_ssl.c
parent: 34c8d9830699c9695284862b879e28480596330d (diff)
download: cpython-git-b1ebba5bd569ede9b6f9573d6618fb3a6abddae5.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index f9d66a1dd9..309d00bf78 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2072,6 +2072,15 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
                                    sizeof(SID_CTX));
 #undef SID_CTX
 
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    {
+        /* Improve trust chain building when cross-signed intermediate
+           certificates are present. See https://bugs.python.org/issue23476. */
+        X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+        X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+    }
+#endif
+
     return (PyObject *)self;
 }
author	Benjamin Peterson <benjamin@python.org>	2015-03-04 22:11:12 -0500
committer	Benjamin Peterson <benjamin@python.org>	2015-03-04 22:11:12 -0500
commit	b1ebba5bd569ede9b6f9573d6618fb3a6abddae5 (patch)
tree	5dbb4bf92d461244db3722469bc6eb45df7534d5 /Modules/_ssl.c
parent	34c8d9830699c9695284862b879e28480596330d (diff)
download	cpython-git-b1ebba5bd569ede9b6f9573d6618fb3a6abddae5.tar.gz