Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL
Reviewed-by: Dr. Stephen Henson <steve@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
This commit is contained in:
Matt Caswell
Kurt Roeckx
parent
f7bf8e02df
commit
cf1bf3f032
2 changed files with 10 additions and 2 deletions
|
|
@ -302,10 +302,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
|||
|
||||
/*
|
||||
* If we haven't got a least one certificate from our store then check
|
||||
* if there is an alternative chain that could be used.
|
||||
* if there is an alternative chain that could be used. We only do this
|
||||
* if the user hasn't switched off alternate chain checking
|
||||
*/
|
||||
retry = 0;
|
||||
if (j == ctx->last_untrusted) {
|
||||
if (j == ctx->last_untrusted &&
|
||||
!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
|
||||
while (j-- > 1) {
|
||||
xtmp2 = sk_X509_value(ctx->chain, j - 1);
|
||||
ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
|
||||
|
|
|
|||
|
|
@ -405,6 +405,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
|
|||
# define X509_V_FLAG_USE_DELTAS 0x2000
|
||||
/* Check selfsigned CA signature */
|
||||
# define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
|
||||
/*
|
||||
* If the initial chain is not trusted, do not attempt to build an alternative
|
||||
* chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting
|
||||
* this flag will force the behaviour to match that of previous versions.
|
||||
*/
|
||||
# define X509_V_FLAG_NO_ALT_CHAINS 0x100000
|
||||
|
||||
# define X509_VP_FLAG_DEFAULT 0x1
|
||||
# define X509_VP_FLAG_OVERWRITE 0x2
|
||||
|
|
|
|||
Loading…
Reference in a new issue