mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-30 14:01:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE

Browse Source 
This unifies the behaviour of a single certificate with
an unknown CA certificate with a self-signed certificate.
The user callback can mask that error to retrieve additional
error information. So the user application can decide to
abort the connection instead to be forced by openssl.

This change in behaviour is backward compatible as user callbacks
who don't want to ignore UNABLE_TO_VERIFY_LEAF_SIGNATURE will
still abort the connection by default.

CLA: trivial
Fixes #11297

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13083)
This commit is contained in:
André Klitzing 2020-03-18 16:04:06 +01:00 committed by Dr. David von Oheimb
parent df38dcfcd5
commit 02a2567173
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
crypto/x509/x509_vfy.c
View File

@ -1804,9 +1804,15 @@ static int internal_verify(X509_STORE_CTX *ctx)
xs = xi;
goto check_cert_time;
}
if (n <= 0)
return verify_cb_cert(ctx, xi, 0,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
if (n <= 0) {
if (!verify_cb_cert(ctx, xi, 0,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
return 0;
xs = xi;
goto check_cert_time;
}
n--;
ctx->error_depth = n;
xs = sk_X509_value(ctx->chain, n);