I was trying to diagnose a certificate validation failure in Ruby's
openssl extension tests with LibreSSL 3.2.2, and it was made more
difficult because the verification error type was dropped, resulting
in a SSL_R_CERTIFICATE_VERIFY_FAILED error where
SSL_get_verify_result returned X509_V_OK.
I think this patch will fix it. Compile tested only. OKs, or is there
a better way to fix it?
Thanks,
Jeremy
Index: x509_vfy.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_vfy.c,v
retrieving revision 1.81
diff -u -p -r1.81 x509_vfy.c
--- x509_vfy.c 26 Sep 2020 02:06:28 -0000 1.81
+++ x509_vfy.c 23 Oct 2020 03:34:10 -0000
@@ -680,6 +680,9 @@ X509_verify_cert(X509_STORE_CTX *ctx)
if ((vctx = x509_verify_ctx_new_from_xsc(ctx, roots)) != NULL) {
ctx->error = X509_V_OK; /* Initialize to OK */
chain_count = x509_verify(vctx, NULL, NULL);
+ if (vctx->error) {
+ ctx->error = vctx->error;
+ }
}
sk_X509_pop_free(roots, X509_free);
