File tree Expand file tree Collapse file tree
deps/openssl/openssl/crypto/x509 Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -362,11 +362,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
362362 /*
363363 * If it's not explicitly trusted then check if there is an alternative
364364 * chain that could be used. We only do this if we haven't already
365- * checked via TRUSTED_FIRST
365+ * checked via TRUSTED_FIRST and the user hasn't switched off alternate
366+ * chain checking
366367 */
367368 retry = 0 ;
368369 if (i != X509_TRUST_TRUSTED
369- && !(ctx -> param -> flags & X509_V_FLAG_TRUSTED_FIRST )) {
370+ && !(ctx -> param -> flags & X509_V_FLAG_TRUSTED_FIRST )
371+ && !(ctx -> param -> flags & X509_V_FLAG_NO_ALT_CHAINS )) {
370372 while (j -- > 1 ) {
371373 xtmp2 = sk_X509_value (ctx -> chain , j - 1 );
372374 ok = ctx -> get_issuer (& xtmp , ctx , xtmp2 );
Original file line number Diff line number Diff line change @@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
432432
433433/* Allow partial chains if at least one certificate is in trusted store */
434434# define X509_V_FLAG_PARTIAL_CHAIN 0x80000
435+ /*
436+ * If the initial chain is not trusted, do not attempt to build an alternative
437+ * chain. Alternate chain checking was introduced in 1.1.0. Setting this flag
438+ * will force the behaviour to match that of previous versions.
439+ */
440+ # define X509_V_FLAG_NO_ALT_CHAINS 0x100000
435441
436442# define X509_VP_FLAG_DEFAULT 0x1
437443# define X509_VP_FLAG_OVERWRITE 0x2
You can’t perform that action at this time.
0 commit comments