From 564d88a8bd190a21b362d6da535fccf74d33394d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 2 Dec 2019 10:55:33 +0100 Subject: openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains Closes #4655 --- lib/vtls/openssl.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'lib/vtls/openssl.c') diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index fb725716c..726ff6e7c 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) X509_V_FLAG_TRUSTED_FIRST); #endif #ifdef X509_V_FLAG_PARTIAL_CHAIN - /* Have intermediate certificates in the trust store be treated as - trust-anchors, in the same way as self-signed root CA certificates - are. This allows users to verify servers using the intermediate cert - only, instead of needing the whole chain. */ - X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), - X509_V_FLAG_PARTIAL_CHAIN); + if(!SSL_SET_OPTION(no_partialchain)) { + /* Have intermediate certificates in the trust store be treated as + trust-anchors, in the same way as self-signed root CA certificates + are. This allows users to verify servers using the intermediate cert + only, instead of needing the whole chain. */ + X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), + X509_V_FLAG_PARTIAL_CHAIN); + } #endif } -- cgit v1.2.1