[openssl-dev] [openssl.org #3637] [PATCH] x509: skip certs if in alternative cert chain
Fedor Indutny via RT
rt at openssl.org
Thu Dec 18 14:31:49 UTC 2014
In situations like [0] the server may provide alternative certificate
chain, which is no longer valid in the current certificate store. In
fact the issuer of the leaf (or some intermediate) cert is known and
trusted, but the alternative chain certs that are sent by server are
not trusted, thus leading to `ctx->get_issuer(...)` return 0.
This patch changes the default behavior from "borking out the whole sent
chain" to "pop as much certs as needed to make it work".
Basically, it pops the last cert and checks if the previous has known
issuer.
[0]: https://bugzilla.mozilla.org/show_bug.cgi?id=986005#c4
-------------- next part --------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJUkm/WAAoJENcGPM4Zt+iQO1UQAIIWnbOwB4DG3rT2E3GFQ3JU
gk2LFDFhrWgCmTPLki8TDkR664SimPYcMsI9Vg0v3v5PecQQaW2O/BLDYEJiZ07E
2nSQCI8APp10jIdt0QUmehP4uHYAYkGxOBnGzypsrXFz2N5MV4XJG1jUZOsgIgod
yZ2Vg8xTejnYrSJ/JfSNTBZy3s20wXDqh06TWNt6rn5o/AsT5l6/JVvC7Vi1DnNu
LcddPrCm2tiaUqVQP+Kn5tfYKGhACTGjnCi89t67rYYbZwxLN2YpgspB3Kv8aR4P
WMofhpZocAZ/uBQcshWe/ExiFsJESQazmM5KYLrVrLsa/hWYLx2E6Dl/N+6IvsUX
8eoG0QFa25iTRv+gLxXEiKca6EPuOWBm6kcz169nyogKBRBzASk3DMwK6TdOfiXI
5uw3zBByiI/DDaBQW62x1KTkTfrcg0pWZHurEVrSK7USr2nGLxI87IWq/e6kcd6x
QbkWmOY5qGoRVoBPjxeVowd5EfyaH2cM7bJLqXcNncYAEmIpvTUEN6YFbyUg2Nuc
DaqSUx6UrPOo3M2kyiqDdGz75Xq57ncWByvJ4Dj8DNqyxOliFG8Mldz7vDUYFbHt
aKR2UqehGsYZbnw/mFDRRtQ2WliB/BEtjISVKl7KPNgkv5twrZF7fMU/Oh3Mf7pe
Jiw6SKPj0JctQF8xpO5J
=4E+B
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-x509-skip-certs-if-in-alternative-cert-chain.patch
Type: application/octet-stream
Size: 1828 bytes
Desc: not available
URL: <http://mta.opensslfoundation.net/pipermail/openssl-dev/attachments/20141218/add5821c/attachment.obj>
More information about the openssl-dev
mailing list