OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN

... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. Reported-by: Michael Kaufmann Fixes #5374 Closes #5376
author: Daniel Stenberg <daniel@haxx.se> 2020-05-11 23:00:31 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2020-05-13 16:39:36 +0200
commit: 81a54b12c631e8126e3eb484c74040b991e78f0c (patch)
tree: cb52f0828b22f8eb4db76a282d153a5e5e3c1f91 /lib/vtls/openssl.c
parent: 9242bee3fee41b482628202a8034dff6937da157 (diff)
download: curl-81a54b12c631e8126e3eb484c74040b991e78f0c.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 6f6b604c2..a147e9980 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2973,11 +2973,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
                          X509_V_FLAG_TRUSTED_FIRST);
 #endif
 #ifdef X509_V_FLAG_PARTIAL_CHAIN
-    if(!SSL_SET_OPTION(no_partialchain)) {
+    if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
       /* Have intermediate certificates in the trust store be treated as
          trust-anchors, in the same way as self-signed root CA certificates
          are. This allows users to verify servers using the intermediate cert
-         only, instead of needing the whole chain. */
+         only, instead of needing the whole chain.
+
+         Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
+         cannot do partial chains with CRL check.
+      */
       X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx),
                            X509_V_FLAG_PARTIAL_CHAIN);
     }
author	Daniel Stenberg <daniel@haxx.se>	2020-05-11 23:00:31 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2020-05-13 16:39:36 +0200
commit	81a54b12c631e8126e3eb484c74040b991e78f0c (patch)
tree	cb52f0828b22f8eb4db76a282d153a5e5e3c1f91 /lib/vtls/openssl.c
parent	9242bee3fee41b482628202a8034dff6937da157 (diff)
download	curl-81a54b12c631e8126e3eb484c74040b991e78f0c.tar.gz