1 files changed, 33 insertions, 0 deletions

diff --git a/debian/patches/fix-intermediate-ca.patch b/debian/patches/fix-intermediate-ca.patch
new file mode 100644
index 0000000..e4e1ffc
--- /dev/null
+++ b/debian/patches/fix-intermediate-ca.patch
@@ -0,0 +1,33 @@
+From aa5b642a3d6fed8663e5242d91884d25d14e9f53 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 08:59:53 -0400
+Subject: [PATCH] move partial chain set to after set cert store.  Should fix
+ #4753
+
+---
+ src/main/tls.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 118978b52a3f..8a6844f4939b 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3987,14 +3987,15 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ 	/*
+ 	 *	Load the CAs we trust and configure CRL checks if needed
+ 	 */
+-#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+-	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+-#endif
+ 	if (conf->ca_file || conf->ca_path) {
+ 		if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ 		SSL_CTX_set_cert_store(ctx, certstore);
+ 	}
+ 
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ 	if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+ 
+ 	conf->ca_path_last_reload = time(NULL);