CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2020/06/09 21:56:28
Modified files:
lib/libcrypto/x509: Tag: OPENBSD_6_6 x509_vfy.c
Log message:
OpenBSD 6.6 errata 032, June 11, 2020 (6.6/032_x509.patch.sig)
original commit:
CVSROOT: /cvs
Module name: src
Changes by: js...@cvs.openbsd.org 2020/05/31 11:23:39
Modified files:
lib/libcrypto/x509: x509_vfy.c
Log message:
When building a chain look for non-expired certificates first.
Currently, when building a certificate chain we look up an issuer and if
it is the only issuer certificate available we still use it even if it has
expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted
certificates are processed first and if one of these happens to be expired
it will be used to build the chain, even if there is another non-expired
option in the trusted store.
Rework this code so that we first look for a non-expired untrusted
certificate. If one does not exist then we take a look in the trusted
store to see if we would be able to build the chain and only if there is
not, do we then look for an expired untrusted certificate.
This makes certificate validation possible for various sites that are
serving expired AddTrust certificates.
Issue reported by Christian Heimes via GitHub.
ok beck@ tb@
