diff options
Diffstat (limited to 'debian/patches/fix-intermediate-ca.patch')
-rw-r--r-- | debian/patches/fix-intermediate-ca.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/debian/patches/fix-intermediate-ca.patch b/debian/patches/fix-intermediate-ca.patch new file mode 100644 index 0000000..e4e1ffc --- /dev/null +++ b/debian/patches/fix-intermediate-ca.patch @@ -0,0 +1,33 @@ +From aa5b642a3d6fed8663e5242d91884d25d14e9f53 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Tue, 25 Oct 2022 08:59:53 -0400 +Subject: [PATCH] move partial chain set to after set cert store. Should fix + #4753 + +--- + src/main/tls.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index 118978b52a3f..8a6844f4939b 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3987,14 +3987,15 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_ + /* + * Load the CAs we trust and configure CRL checks if needed + */ +-#if defined(X509_V_FLAG_PARTIAL_CHAIN) +- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); +-#endif + if (conf->ca_file || conf->ca_path) { + if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL; + SSL_CTX_set_cert_store(ctx, certstore); + } + ++#if defined(X509_V_FLAG_PARTIAL_CHAIN) ++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); ++#endif ++ + if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); + + conf->ca_path_last_reload = time(NULL); |