In situations like [0] the server may provide alternative certificate chain, which is no longer valid in the current certificate store. In fact the issuer of the leaf (or some intermediate) cert is known and trusted, but the alternative chain certs that are sent by server are not trusted, thus leading to `ctx->get_issuer(...)` return 0.
This patch changes the default behavior from "borking out the whole sent chain" to "pop as much certs as needed to make it work". Basically, it pops the last cert and checks if the previous has known issuer. [0]: https://bugzilla.mozilla.org/show_bug.cgi?id=986005#c4
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJUkm/WAAoJENcGPM4Zt+iQO1UQAIIWnbOwB4DG3rT2E3GFQ3JU gk2LFDFhrWgCmTPLki8TDkR664SimPYcMsI9Vg0v3v5PecQQaW2O/BLDYEJiZ07E 2nSQCI8APp10jIdt0QUmehP4uHYAYkGxOBnGzypsrXFz2N5MV4XJG1jUZOsgIgod yZ2Vg8xTejnYrSJ/JfSNTBZy3s20wXDqh06TWNt6rn5o/AsT5l6/JVvC7Vi1DnNu LcddPrCm2tiaUqVQP+Kn5tfYKGhACTGjnCi89t67rYYbZwxLN2YpgspB3Kv8aR4P WMofhpZocAZ/uBQcshWe/ExiFsJESQazmM5KYLrVrLsa/hWYLx2E6Dl/N+6IvsUX 8eoG0QFa25iTRv+gLxXEiKca6EPuOWBm6kcz169nyogKBRBzASk3DMwK6TdOfiXI 5uw3zBByiI/DDaBQW62x1KTkTfrcg0pWZHurEVrSK7USr2nGLxI87IWq/e6kcd6x QbkWmOY5qGoRVoBPjxeVowd5EfyaH2cM7bJLqXcNncYAEmIpvTUEN6YFbyUg2Nuc DaqSUx6UrPOo3M2kyiqDdGz75Xq57ncWByvJ4Dj8DNqyxOliFG8Mldz7vDUYFbHt aKR2UqehGsYZbnw/mFDRRtQ2WliB/BEtjISVKl7KPNgkv5twrZF7fMU/Oh3Mf7pe Jiw6SKPj0JctQF8xpO5J =4E+B -----END PGP SIGNATURE-----
0001-x509-skip-certs-if-in-alternative-cert-chain.patch
Description: Binary data
_______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
