From aa5b642a3d6fed8663e5242d91884d25d14e9f53 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Tue, 25 Oct 2022 08:59:53 -0400
Subject: [PATCH] move partial chain set to after set cert store.  Should fix
 #4753

---
 src/main/tls.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/main/tls.c b/src/main/tls.c
index 118978b52a3f..8a6844f4939b 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3987,14 +3987,15 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
 	/*
 	 *	Load the CAs we trust and configure CRL checks if needed
 	 */
-#if defined(X509_V_FLAG_PARTIAL_CHAIN)
-	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
-#endif
 	if (conf->ca_file || conf->ca_path) {
 		if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
 		SSL_CTX_set_cert_store(ctx, certstore);
 	}
 
+#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+
 	if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
 
 	conf->ca_path_last_reload = time(NULL);