artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3c95f6f) | patch
Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
authorjsing <jsing@openbsd.org>
Thu, 30 Sep 2021 18:23:46 +0000 (18:23 +0000)
committerjsing <jsing@openbsd.org>
Thu, 30 Sep 2021 18:23:46 +0000 (18:23 +0000)
commita37b3deb471156262bc68bcaa97d2cb9f78494f8
tree8f121f651edc828c9046ef6f143da8011536c605tree | snapshot
parent3c95f6f12797ebbdedb8d5f712eb65bd04fe233acommit | diff
Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.

In order to work around the expired DST Root CA X3 certficiate, enable
X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
default chain provided by Let's Encrypt will stop at the ISRG Root X1
intermediate, rather than following the DST Root CA X3 intermediate.

Note that the new verifier does not suffer from this issue, so only a
small number of things will hit this code path.

ok millert@ robert@ tb@
lib/libcrypto/x509/x509_vpm.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim