diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2019-12-02 10:55:33 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2019-12-03 16:28:50 +0100 |
| commit | 564d88a8bd190a21b362d6da535fccf74d33394d (patch) | |
| tree | f1d0c5c77852f77bd2eb08e978925e2a79a9a495 /lib | |
| parent | 94f1f771586913addf5c68f9219e176036c50115 (diff) | |
| download | curl-564d88a8bd190a21b362d6da535fccf74d33394d.tar.gz | |
openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
Closes #4655
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/setopt.c | 1 | ||||
| -rw-r--r-- | lib/urldata.h | 1 | ||||
| -rw-r--r-- | lib/vtls/openssl.c | 14 |
3 files changed, 10 insertions, 6 deletions
diff --git a/lib/setopt.c b/lib/setopt.c index 64c29e333..d7b9ca285 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -2133,6 +2133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) data->set.ssl.enable_beast = (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); break; #ifndef CURL_DISABLE_PROXY diff --git a/lib/urldata.h b/lib/urldata.h index a70b2b09a..3effb1626 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -257,6 +257,7 @@ struct ssl_config_data { BIT(falsestart); BIT(enable_beast); /* allow this flaw for interoperability's sake*/ BIT(no_revoke); /* disable SSL certificate revocation checks */ + BIT(no_partialchain); /* don't accept partial certificate chains */ }; struct ssl_general_config { diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index fb725716c..726ff6e7c 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) X509_V_FLAG_TRUSTED_FIRST); #endif #ifdef X509_V_FLAG_PARTIAL_CHAIN - /* Have intermediate certificates in the trust store be treated as - trust-anchors, in the same way as self-signed root CA certificates - are. This allows users to verify servers using the intermediate cert - only, instead of needing the whole chain. */ - X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), - X509_V_FLAG_PARTIAL_CHAIN); + if(!SSL_SET_OPTION(no_partialchain)) { + /* Have intermediate certificates in the trust store be treated as + trust-anchors, in the same way as self-signed root CA certificates + are. This allows users to verify servers using the intermediate cert + only, instead of needing the whole chain. */ + X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), + X509_V_FLAG_PARTIAL_CHAIN); + } #endif } |