1 files changed, 40 insertions, 0 deletions

diff --git a/debian/patches/fix-tls-client-cert-common-name-1.patch b/debian/patches/fix-tls-client-cert-common-name-1.patch
new file mode 100644
index 0000000..e0cf181
--- /dev/null
+++ b/debian/patches/fix-tls-client-cert-common-name-1.patch
@@ -0,0 +1,40 @@
+From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 10:51:02 -0400
+Subject: [PATCH] set partial chain always.  Helps with #4785
+
+---
+ src/main/tls.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index aa6395d8391f..a33699cbb66e 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf)
+ 	if (conf->check_all_crl)
+ 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+ #endif
++
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++	X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ 	return store;
+ }
+ 
+@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ 	if (conf->ca_file || conf->ca_path) {
+ 		if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ 		SSL_CTX_set_cert_store(ctx, certstore);
+-	}
+-
++	} else {
+ #if defined(X509_V_FLAG_PARTIAL_CHAIN)
+-	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++		X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+ #endif
++	}
+ 
+ 	if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+