move partial chain set to after set cert store. Should fix #4753

author Alan T. DeKok <aland@freeradius.org>

Tue, 25 Oct 2022 12:59:53 +0000 (08:59 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Tue, 25 Oct 2022 14:51:45 +0000 (10:51 -0400)
author Alan T. DeKok <aland@freeradius.org>
Tue, 25 Oct 2022 12:59:53 +0000 (08:59 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Tue, 25 Oct 2022 14:51:45 +0000 (10:51 -0400)
diff --git a/src/main/tls.c b/src/main/tls.c

index 118978b52a3fd59669b4ca31eb98001f573f43ee..8a6844f4939b1753a019a06dd2ec5cf63f87541c 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3987,14 +3987,15 @@ load_ca:
         /*
          *      Load the CAs we trust and configure CRL checks if needed
          */
-#if defined(X509_V_FLAG_PARTIAL_CHAIN)
-       X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
-#endif
         if (conf->ca_file || conf->ca_path) {
                 if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
                 SSL_CTX_set_cert_store(ctx, certstore);
         }
  
+#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+       X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+
         if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
  
         conf->ca_path_last_reload = time(NULL);
author	Alan T. DeKok <aland@freeradius.org>
	Tue, 25 Oct 2022 12:59:53 +0000 (08:59 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Tue, 25 Oct 2022 14:51:45 +0000 (10:51 -0400)