openssl: set X509_V_FLAG_PARTIAL_CHAIN

Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. Other TLS backends already accept partial chains. Reported-by: Jeffrey Walton Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
author: Daniel Stenberg <daniel@haxx.se> 2019-12-02 10:45:55 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2019-12-03 16:28:50 +0100
commit: 94f1f771586913addf5c68f9219e176036c50115 (patch)
tree: 29d69f2c702d407a6c800222f12e375bbb3fe586
parent: 7dffc2b46f78e15ac0f8e19a2c8ebeba0c032aa4 (diff)
download: curl-94f1f771586913addf5c68f9219e176036c50115.tar.gz
1 files changed, 17 insertions, 9 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 7c6854d1f..fb725716c 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2773,19 +2773,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
     infof(data, "  CRLfile: %s\n", ssl_crlfile);
   }
 
-  /* Try building a chain using issuers in the trusted store first to avoid
-     problems with server-sent legacy intermediates.  Newer versions of
-     OpenSSL do alternate chain checking by default which gives us the same
-     fix without as much of a performance hit (slight), so we prefer that if
-     available.
-     https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
-  */
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
   if(verifypeer) {
+    /* Try building a chain using issuers in the trusted store first to avoid
+       problems with server-sent legacy intermediates.  Newer versions of
+       OpenSSL do alternate chain checking by default which gives us the same
+       fix without as much of a performance hit (slight), so we prefer that if
+       available.
+       https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+    */
+#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
     X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
                          X509_V_FLAG_TRUSTED_FIRST);
-  }
 #endif
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
+    /* Have intermediate certificates in the trust store be treated as
+       trust-anchors, in the same way as self-signed root CA certificates
+       are. This allows users to verify servers using the intermediate cert
+       only, instead of needing the whole chain. */
+    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+                         X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+  }
 
   /* SSL always tries to verify the peer, this only says whether it should
    * fail to connect if the verification fails, or if it should continue
author	Daniel Stenberg <daniel@haxx.se>	2019-12-02 10:45:55 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2019-12-03 16:28:50 +0100
commit	94f1f771586913addf5c68f9219e176036c50115 (patch)
tree	29d69f2c702d407a6c800222f12e375bbb3fe586
parent	7dffc2b46f78e15ac0f8e19a2c8ebeba0c032aa4 (diff)
download	curl-94f1f771586913addf5c68f9219e176036c50115.tar.gz