From 65eb20260b5659cee755b75e4237b4359ee78942 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Thu, 3 Oct 2024 10:51:26 +0200 Subject: [PATCH] openssl quic: populate x509 store before handshake Since OpenSSL does its own send/recv internally, we may miss the moment to populate the x509 store right before the server response. Do it instead before we start the handshake, at the loss of the time to set this up. Closes #15137 --- lib/vquic/curl_osslq.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/vquic/curl_osslq.c b/lib/vquic/curl_osslq.c index c13eadd556..e5f737f8f0 100644 --- a/lib/vquic/curl_osslq.c +++ b/lib/vquic/curl_osslq.c @@ -1701,6 +1701,14 @@ static CURLcode cf_osslq_connect(struct Curl_cfilter *cf, } } + /* Since OpenSSL does its own send/recv internally, we may miss the + * moment to populate the x509 store right before the server response. + * Do it instead before we start the handshake, at the loss of the + * time to set this up. */ + result = Curl_vquic_tls_before_recv(&ctx->tls, cf, data); + if(result) + goto out; + ERR_clear_error(); err = SSL_do_handshake(ctx->tls.ossl.ssl); @@ -1725,7 +1733,6 @@ static CURLcode cf_osslq_connect(struct Curl_cfilter *cf, case SSL_ERROR_WANT_READ: ctx->q.last_io = now; CURL_TRC_CF(data, cf, "QUIC SSL_connect() -> WANT_RECV"); - result = Curl_vquic_tls_before_recv(&ctx->tls, cf, data); goto out; case SSL_ERROR_WANT_WRITE: ctx->q.last_io = now; -- 2.47.2