git.ipfire.org Git - thirdparty/openssl.git/commit

]> git.ipfire.org Git - thirdparty/openssl.git/commit

projects / thirdparty / openssl.git / commit

author	Viktor Dukhovni <openssl-users@dukhovni.org>
	Mon, 30 Aug 2021 18:17:16 +0000 (14:17 -0400)
committer	Viktor Dukhovni <openssl-users@dukhovni.org>
	Fri, 3 Sep 2021 04:10:03 +0000 (00:10 -0400)
commit	661de442e4231a9b0411dc8562f9e465d1d7fabc
tree	6b1fa5605d53dc0cd494308177d192b294a827fa	tree
parent	505d44c623c2a883cf015f26a499842cea0161f0	commit \| diff

Prioritise DANE TLSA issuer certs over peer certs

When building the certificate chain, prioritise any Cert(0) Full(0)
certificates from TLSA records over certificates received from the peer.

This is important when the server sends a cross cert, but TLSA records include
the underlying root CA cert. We want to construct a chain with the issuer from
the TLSA record, which can then match the TLSA records (while the associated
cross cert may not).

Reviewed-by: Tomáš Mráz <tomas@openssl.org>

crypto/x509/x509_vfy.c

diff | blob | blame | history

Mirror of https://github.com/openssl/openssl.git

RSS Atom