CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2023/05/24 03:15:14
Modified files:
lib/libcrypto/x509: x509_vpm.c
regress/lib/libssl/unit: Makefile
Log message:
Copy the verify param hostflags independently of the host list
Without this, hostflags set on the SSL_CTX would not propagate to newly
created SSL. This is surprising behavior that was changed in OpenSSL 1.1
by Christian Heimes after the issue was flagged by Quentin Pradet:
https://bugs.python.org/issue43522
This is a version of the fix that landed in OpenSSL.
There used to be a workaround in place in urllib3, but that was removed at
some point. We haven't fixed this earlier since it wasn't reported. It only
showed up after recent fallout of extraordinarily strict library checking
in urllib3 coming from their own interpretation of the implications of
PEP 644.
ok jsing
