summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2019-12-02 10:55:33 +0100
committerDaniel Stenberg <daniel@haxx.se>2019-12-03 16:28:50 +0100
commit564d88a8bd190a21b362d6da535fccf74d33394d (patch)
treef1d0c5c77852f77bd2eb08e978925e2a79a9a495 /lib
parent94f1f771586913addf5c68f9219e176036c50115 (diff)
downloadcurl-564d88a8bd190a21b362d6da535fccf74d33394d.tar.gz
openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
Closes #4655
Diffstat (limited to 'lib')
-rw-r--r--lib/setopt.c1
-rw-r--r--lib/urldata.h1
-rw-r--r--lib/vtls/openssl.c14
3 files changed, 10 insertions, 6 deletions
diff --git a/lib/setopt.c b/lib/setopt.c
index 64c29e333..d7b9ca285 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -2133,6 +2133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
data->set.ssl.enable_beast =
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+ data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
break;
#ifndef CURL_DISABLE_PROXY
diff --git a/lib/urldata.h b/lib/urldata.h
index a70b2b09a..3effb1626 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -257,6 +257,7 @@ struct ssl_config_data {
BIT(falsestart);
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
BIT(no_revoke); /* disable SSL certificate revocation checks */
+ BIT(no_partialchain); /* don't accept partial certificate chains */
};
struct ssl_general_config {
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index fb725716c..726ff6e7c 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
X509_V_FLAG_TRUSTED_FIRST);
#endif
#ifdef X509_V_FLAG_PARTIAL_CHAIN
- /* Have intermediate certificates in the trust store be treated as
- trust-anchors, in the same way as self-signed root CA certificates
- are. This allows users to verify servers using the intermediate cert
- only, instead of needing the whole chain. */
- X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
- X509_V_FLAG_PARTIAL_CHAIN);
+ if(!SSL_SET_OPTION(no_partialchain)) {
+ /* Have intermediate certificates in the trust store be treated as
+ trust-anchors, in the same way as self-signed root CA certificates
+ are. This allows users to verify servers using the intermediate cert
+ only, instead of needing the whole chain. */
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+ X509_V_FLAG_PARTIAL_CHAIN);
+ }
#endif
}