summaryrefslogtreecommitdiff
path: root/lib/vtls/openssl.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2019-12-02 10:55:33 +0100
committerDaniel Stenberg <daniel@haxx.se>2019-12-03 16:28:50 +0100
commit564d88a8bd190a21b362d6da535fccf74d33394d (patch)
treef1d0c5c77852f77bd2eb08e978925e2a79a9a495 /lib/vtls/openssl.c
parent94f1f771586913addf5c68f9219e176036c50115 (diff)
downloadcurl-564d88a8bd190a21b362d6da535fccf74d33394d.tar.gz
openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
Closes #4655
Diffstat (limited to 'lib/vtls/openssl.c')
-rw-r--r--lib/vtls/openssl.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index fb725716c..726ff6e7c 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
X509_V_FLAG_TRUSTED_FIRST);
#endif
#ifdef X509_V_FLAG_PARTIAL_CHAIN
- /* Have intermediate certificates in the trust store be treated as
- trust-anchors, in the same way as self-signed root CA certificates
- are. This allows users to verify servers using the intermediate cert
- only, instead of needing the whole chain. */
- X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
- X509_V_FLAG_PARTIAL_CHAIN);
+ if(!SSL_SET_OPTION(no_partialchain)) {
+ /* Have intermediate certificates in the trust store be treated as
+ trust-anchors, in the same way as self-signed root CA certificates
+ are. This allows users to verify servers using the intermediate cert
+ only, instead of needing the whole chain. */
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+ X509_V_FLAG_PARTIAL_CHAIN);
+ }
#endif
}