From: Benjamin Peterson <benjamin@python.org>
Date: Thu, 5 Mar 2015 03:11:12 +0000 (-0500)
Subject: enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)
X-Git-Tag: v3.5.0a2~28^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fdb19715879babc580f63bc129f5b0ff46482d1c;p=thirdparty%2FPython%2Fcpython.git

enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 129843472f98..29c62144962c 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST
+  flag on certificate stores when it is available.
+
 - Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the
   SSL layer but the underlying connection hasn't been closed.
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index e7ba58394910..a5b94eb4b00b 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2063,6 +2063,15 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
                                    sizeof(SID_CTX));
 #undef SID_CTX
 
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    {
+        /* Improve trust chain building when cross-signed intermediate
+           certificates are present. See https://bugs.python.org/issue23476. */
+        X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+        X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+    }
+#endif
+
     return (PyObject *)self;
 }