openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains

Closes #4655

1 files changed, 8 insertions, 6 deletions

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index fb725716c..726ff6e7c 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
                          X509_V_FLAG_TRUSTED_FIRST);
 #endif
 #ifdef X509_V_FLAG_PARTIAL_CHAIN
-    /* Have intermediate certificates in the trust store be treated as
-       trust-anchors, in the same way as self-signed root CA certificates
-       are. This allows users to verify servers using the intermediate cert
-       only, instead of needing the whole chain. */
-    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
-                         X509_V_FLAG_PARTIAL_CHAIN);
+    if(!SSL_SET_OPTION(no_partialchain)) {
+      /* Have intermediate certificates in the trust store be treated as
+         trust-anchors, in the same way as self-signed root CA certificates
+         are. This allows users to verify servers using the intermediate cert
+         only, instead of needing the whole chain. */
+      X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+                           X509_V_FLAG_PARTIAL_CHAIN);
+    }
 #endif
   }