Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
openssl: set FLAG_TRUSTED_FIRST unconditionally #5530
On some systems, openssl 1.0 is still the default, but it has been patched to
Problem is that curl will fail to verify websites stills serving an expired, intermediate certificate, which happened quite a few times recently: https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration
Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to probe for
On some systems, openssl 1.0 is still the default, but it has been patched to contain all the recent security fixes. As a result of this patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be defined, while the previous behavior of openssl to not look at trusted chains first, remains. Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to probe for the behavior of openssl based on the existence ofmacros.
Too fast did you investigate his claim? I was the one who set it not to use trusted first when alt chains was in effect. @mattcaswell wrote "It makes no sense to combine the trusted first and alt chains strategies. With trusted first we have already checked all of the possible chains by the time we get to the end of the peer provided list - so there is no point in then popping certs off the top of our chain and checking the trusted store again."
So, no, it wasn't too fast. But I'm open for alternative takes. Not sure spending a lot of brain-cells on old OpenSSL versions is worth it though.