diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2021-01-05 17:14:47 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2021-01-05 17:14:47 +0000 |
| commit | ae5c3af379b59402e225b783c31ab0cb1e0608dd (patch) | |
| tree | c0b67d746822b81299b2499d161aafaa4520a8ca /lib | |
| parent | ab814d8ede276fee4723412f5cec1fdd6bfef1a7 (diff) | |
Use legacy verifier when building auto chains.
The new verifier builds all chains, starting with the shortest possible
path. It also does not currently return partial chains. Both of these
things conflict with auto chain, where we want to build the longest
possible chain (to include all intermediates, and probably the root
unnecessarily), as well as using an incomplete chain when a trusted chain
is not known.
Depending on software configuration, we can end up building a chain
consisting only of a leaf certificate, rather than a longer chain. This
results in auto chain not including intermediates, which is undesireable.
For now, switch auto chain building to use the legacy verifier.
This should resolve the issues encountered by ajacoutot@ with sendmail.
ok tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/ssl_both.c | 4 | ||||
| -rw-r--r-- | lib/libssl/tls13_server.c | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c index 081b374396b..6480b45becf 100644 --- a/lib/libssl/ssl_both.c +++ b/lib/libssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.21 2020/10/14 16:57:33 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.22 2021/01/05 17:14:46 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -408,6 +408,8 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk) SSLerror(s, ERR_R_X509_LIB); goto err; } + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx), + X509_V_FLAG_LEGACY_VERIFY); X509_verify_cert(xs_ctx); ERR_clear_error(); chain = xs_ctx->chain; diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index 1c8644ab27a..549383e3313 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.64 2020/12/14 15:26:36 tb Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.65 2021/01/05 17:14:46 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> * Copyright (c) 2020 Bob Beck <beck@openbsd.org> @@ -639,6 +639,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) goto err; if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) goto err; + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), + X509_V_FLAG_LEGACY_VERIFY); X509_verify_cert(xsc); ERR_clear_error(); chain = xsc->chain; |