From fda9215f5993e0741523b9fa4d0b8b67e4f80fc8 Mon Sep 17 00:00:00 2001 From: jsing Date: Tue, 5 Jan 2021 17:14:46 +0000 Subject: Use legacy verifier when building auto chains. The new verifier builds all chains, starting with the shortest possible path. It also does not currently return partial chains. Both of these things conflict with auto chain, where we want to build the longest possible chain (to include all intermediates, and probably the root unnecessarily), as well as using an incomplete chain when a trusted chain is not known. Depending on software configuration, we can end up building a chain consisting only of a leaf certificate, rather than a longer chain. This results in auto chain not including intermediates, which is undesireable. For now, switch auto chain building to use the legacy verifier. This should resolve the issues encountered by ajacoutot@ with sendmail. ok tb@ --- lib/libssl/tls13_server.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/libssl/tls13_server.c') diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index 1c8644ab27a..549383e3313 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.64 2020/12/14 15:26:36 tb Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.65 2021/01/05 17:14:46 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -639,6 +639,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) goto err; if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) goto err; + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), + X509_V_FLAG_LEGACY_VERIFY); X509_verify_cert(xsc); ERR_clear_error(); chain = xsc->chain; -- cgit v1.2.3-59-g8ed1b