1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Tue, 25 Oct 2022 10:51:02 -0400
Subject: [PATCH] set partial chain always. Helps with #4785
---
src/main/tls.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/main/tls.c b/src/main/tls.c
index aa6395d8391f..a33699cbb66e 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf)
if (conf->check_all_crl)
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
#endif
+
+#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+ X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+
return store;
}
@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
if (conf->ca_file || conf->ca_path) {
if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
SSL_CTX_set_cert_store(ctx, certstore);
- }
-
+ } else {
#if defined(X509_V_FLAG_PARTIAL_CHAIN)
- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
#endif
+ }
if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
|