Switch back to the legacy verifier for the release.

This is disappointing as a lot of work was put into the new verifier
during this cycle. However, there are still too many known bugs and
incompatibilities. It is better to be faced with known broken behavior
than with new broken behavior and to switch now rather than via errata.
This way we have another cycle to iron out the kinks and to fix some of
the remaining bugs.

ok jsing

1 files changed, 2 insertions, 2 deletions

diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c
index 5133a82b0bf..2907448d558 100644
--- a/lib/libcrypto/x509/x509_vpm.c
+++ b/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.24 2021/04/05 07:02:50 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.25 2021/04/15 14:15:03 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -178,7 +178,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
 	param->trust = 0;
 	/*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
 	param->inh_flags = 0;
-	param->flags = 0;
+	param->flags = X509_V_FLAG_LEGACY_VERIFY;
 	param->depth = -1;
 	if (param->policies) {
 		sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);