Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
curl-mini.25399
curl-X509_V_FLAG_PARTIAL_CHAIN.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-X509_V_FLAG_PARTIAL_CHAIN.patch of Package curl-mini.25399
Index: curl-7.60.0/lib/vtls/openssl.c =================================================================== --- curl-7.60.0.orig/lib/vtls/openssl.c +++ curl-7.60.0/lib/vtls/openssl.c @@ -2515,19 +2515,32 @@ static CURLcode ossl_connect_step1(struc infof(data, " CRLfile: %s\n", ssl_crlfile); } - /* Try building a chain using issuers in the trusted store first to avoid - problems with server-sent legacy intermediates. - Newer versions of OpenSSL do alternate chain checking by default which - gives us the same fix without as much of a performance hit (slight), so we - prefer that if available. - https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest - */ -#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS) if(verifypeer) { +#if defined(X509_V_FLAG_TRUSTED_FIRST) + /* Try building a chain using issuers in the trusted store first to avoid + problems with server-sent legacy intermediates. Newer versions of + OpenSSL do alternate chain checking by default but we do not know how to + determine that in a reliable manner. + https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest + */ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), X509_V_FLAG_TRUSTED_FIRST); - } #endif +#ifdef X509_V_FLAG_PARTIAL_CHAIN + if(!ssl_crlfile) { + /* Have intermediate certificates in the trust store be treated as + trust-anchors, in the same way as self-signed root CA certificates + are. This allows users to verify servers using the intermediate cert + only, instead of needing the whole chain. + + Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we + cannot do partial chains with CRL check. + */ + X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), + X509_V_FLAG_PARTIAL_CHAIN); + } +#endif + } /* SSL always tries to verify the peer, this only says whether it should * fail to connect if the verification fails, or if it should continue Index: curl-7.60.0/docs/libcurl/opts/CURLOPT_CRLFILE.3 =================================================================== --- curl-7.60.0.orig/docs/libcurl/opts/CURLOPT_CRLFILE.3 +++ curl-7.60.0/docs/libcurl/opts/CURLOPT_CRLFILE.3 @@ -34,10 +34,13 @@ concatenation of CRL (in PEM format) to occurs during the SSL exchange. When curl is built to use NSS or GnuTLS, there is no way to influence the use -of CRL passed to help in the verification process. When libcurl is built with -OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both -set, requiring CRL check against all the elements of the certificate chain if -a CRL file is passed. +of CRL passed to help in the verification process. + +When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and +X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the +elements of the certificate chain if a CRL file is passed. Also note that +\fICURLOPT_CRLFILE(3)\fP will imply \fBCURLSSLOPT_NO_PARTIALCHAIN\fP (see +\fICURLOPT_SSL_OPTIONS(3)\fP) since curl 7.71.0 due to an OpenSSL bug. This option makes sense only when used in combination with the \fICURLOPT_SSL_VERIFYPEER(3)\fP option.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor