curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Curl thinks SSL cert for code.jquery.com has expired

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 1 Jun 2020 23:53:28 +0200 (CEST)

On Mon, 1 Jun 2020, Daniel Stenberg via curl-library wrote:

> Yes. This is a LibreSSL issue, also found in OpenSSL before 1.1.0, in all
> versions of GnuTLS and probably in some other TLS libs too.

If someone suffers from this bug with OpenSSL 1.0.2 (or something else from
before 1.1.0), it would be interesting to hear if the patch below has any
effect.

The X509_V_FLAG_TRUSTED_FIRST flag should presumably make it do right, and it
seems our added check there is what makes it not get used when it could've
saved users.

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 9e35f6ebc..3d62345f6 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3055,11 +3055,11 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
         OpenSSL do alternate chain checking by default which gives us the same
         fix without as much of a performance hit (slight), so we prefer that if
         available.

https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
      */
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
+#if defined(X509_V_FLAG_TRUSTED_FIRST)
      X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx),
                           X509_V_FLAG_TRUSTED_FIRST);
  #endif
  #ifdef X509_V_FLAG_PARTIAL_CHAIN
      if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2020-06-01