-
Notifications
You must be signed in to change notification settings - Fork 29.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
deps: backport openssl patch of alt cert chains 1
This a backport of da084a5ec6cebd67ae27f2463ebe4a50bb840fa5 in https://github.com/openssl/openssl by Matt Caswell <[email protected]> as In certain situations the server provided certificate chain may no longer be valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store. When building a trust chain if the first attempt fails, then try to see if alternate chains could be constructed that are trusted. deps: backport openssl patch of alt cert chains 2 This a backport of 15dba5be6a4482a9ad7e5b846291f31e97e338ca in https://github.com/openssl/openssl by Matt Caswell <[email protected]> as Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL Fixes: #589 PR-URL: #1389 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
- Loading branch information
Shigeki Ohtsu
committed
Apr 14, 2015
1 parent
71316c4
commit ae8831f
Showing
2 changed files
with
113 additions
and
70 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ae8831f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good news @shigeki @bnoordhuis ! This patch is going to be backported to 1.0.2 branch!
ae8831f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@indutny Yes, I've found them on git repository. We need not to apply private patches from 1.0.2b.
I also found an another backported patch in openssl/openssl@47daa15 . I wonder if this is needed in 1.0.2a since there is no loop for a cert chain in checking a issuer in 1.0.2a where there is one in master as https://github.com/openssl/openssl/blob/master/crypto/x509/x509_vfy.c#L538-L544 . But I might have missed something.
ae8831f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shigeki I'd stay close with the 1.0.2b anyway, but I do see your argument. :) Let's update to it once it'll be released, I think it should happen soon.
ae8831f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@indutny Let's wait it until 1.0.2b. I'm just wondering if we need to apply the new backported patch to iojs immediately.
ae8831f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shigeki doesn't seem to be necessary. I'll ask Matt about the purpose of this patch.
ae8831f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@indutny Thanks!
ae8831f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shigeki according to Matt it was backported by mistake! Good catch, man!
ae8831f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@indutny It's my pleasure. Thanks for your feedback.