[openssl-dev] [PATCH] x509: skip certs if in alternative cert chain

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[openssl-dev] [PATCH] x509: skip certs if in alternative cert chain

Fedor Indutny
In situations like [0] the server may provide alternative certificate
chain, which is no longer valid in the current certificate store. In
fact the issuer of the leaf (or some intermediate) cert is known and
trusted, but the alternative chain certs that are sent by server are
not trusted, thus leading to `ctx->get_issuer(...)` return 0.

This patch changes the default behavior from "borking out the whole sent
chain" to "pop as much certs as needed to make it work".

Basically, it pops the last cert and checks if the previous has known
issuer.


NOTE: Possibly duplicate, I didn't get a reply from openssl-bugs@

_______________________________________________
openssl-dev mailing list
[hidden email]
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev

0001-x509-skip-certs-if-in-alternative-cert-chain.patch.asc (1K) Download Attachment
0001-x509-skip-certs-if-in-alternative-cert-chain.patch (2K) Download Attachment