From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 20 Sep 2025 20:32:23 +0000 (+0200)
Subject: openssl: fail the transfer if ossl_certchain() fails
X-Git-Tag: rc-8_17_0-3~428
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16e0a2098d91c87ab77ce568acdeda724baf753a;p=thirdparty%2Fcurl.git

openssl: fail the transfer if ossl_certchain() fails

Since it would indicate errors to the degree that continuing would just
risk hiding the earlier errors or make things weird.

Inspired by a report in Joshua's sarif data

Closes #18646
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index d07c1bf773..37cdd55747 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -355,9 +355,8 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
   DEBUGASSERT(ssl);
 
   sk = SSL_get_peer_cert_chain(ssl);
-  if(!sk) {
-    return CURLE_OUT_OF_MEMORY;
-  }
+  if(!sk)
+    return CURLE_SSL_CONNECT_ERROR;
 
   numcerts = sk_X509_num(sk);
 
@@ -4856,9 +4855,15 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf,
     return CURLE_OUT_OF_MEMORY;
   }
 
-  if(data->set.ssl.certinfo)
-    /* asked to gather certificate info */
-    (void)ossl_certchain(data, octx->ssl);
+  if(data->set.ssl.certinfo && !octx->reused_session) {
+    /* asked to gather certificate info. Reused sessions don't have cert
+       chains */
+    result = ossl_certchain(data, octx->ssl);
+    if(result) {
+      BIO_free(mem);
+      return result;
+    }
+  }
 
   octx->server_cert = SSL_get1_peer_certificate(octx->ssl);
   if(!octx->server_cert) {