Skip to content

openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache #20009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bagder wants to merge 2 commits into from
Closed

openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache #20009

bagder wants to merge 2 commits into from

Conversation

@bagder
Copy link
Member

@bagder bagder commented Dec 17, 2025

Reported-by: Stanislav Fort

@bagder bagder added the TLS label Dec 17, 2025
@bagder bagder marked this pull request as ready for review December 17, 2025 12:52
@bagder bagder requested a review from Copilot December 17, 2025 12:52
@bagder
Copy link
Member Author

bagder commented Dec 17, 2025

augment review

@augmentcode
Copy link

augmentcode bot commented Dec 17, 2025

🤖 Augment PR Summary

Summary: OpenSSL: include CURLSSLOPT_NO_PARTIALCHAIN in the X509 store cache key so a CA store built with different partial-chain behavior is not reused.
Change: Persist and compare no_partialchain in ossl_x509_share when deciding whether a cached X509_STORE matches the current SSL config.

🤖 Was this summary useful? React with 👍 or 👎

augmentcode[bot]
augmentcode bot reviewed Dec 17, 2025
View reviewed changes
Copy link

@augmentcode augmentcode bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where toggling the CURLSSLOPT_NO_PARTIALCHAIN option would incorrectly reuse a cached X509_STORE that was created with a different setting for this option. The no_partialchain flag controls whether OpenSSL's X509_V_FLAG_PARTIAL_CHAIN is set on the certificate store, which affects certificate chain validation behavior.

Key Changes:

  • Added no_partialchain field to ossl_x509_share structure to track the partial chain state of cached stores
  • Modified ossl_cached_x509_store_different() to check if the cached store's no_partialchain setting matches the current request
  • Updated ossl_set_cached_x509_store() to save the no_partialchain state when caching a store

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@bagder bagder closed this in cd046f6 Dec 17, 2025
@bagder bagder deleted the bagder/diff-ca-cache branch December 17, 2025 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

TLS

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bagder