enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)

author Benjamin Peterson <benjamin@python.org>

Thu, 5 Mar 2015 03:11:12 +0000 (22:11 -0500)

committer Benjamin Peterson <benjamin@python.org>

Thu, 5 Mar 2015 03:11:12 +0000 (22:11 -0500)
author Benjamin Peterson <benjamin@python.org>
Thu, 5 Mar 2015 03:11:12 +0000 (22:11 -0500)
committer Benjamin Peterson <benjamin@python.org>
Thu, 5 Mar 2015 03:11:12 +0000 (22:11 -0500)
diff --git a/Misc/NEWS b/Misc/NEWS

index c480033fcaa65b7cea0db35388c77978078ccad3..1999d844e84acc8c7156e6de679a0a9be2b5cde2 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,9 @@ Core and Builtins
  Library
  -------
  
+- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST
+  flag on certificate stores when it is available.
+
  - Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the
    SSL layer but the underlying connection hasn't been closed.
  
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index f9d66a1dd9c9cc5f98bf4fb19e7e3400bd366599..309d00bf783caeaaa76dec8a0ce5f089cc76f574 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2072,6 +2072,15 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
                                     sizeof(SID_CTX));
  #undef SID_CTX
  
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    {
+        /* Improve trust chain building when cross-signed intermediate
+           certificates are present. See https://bugs.python.org/issue23476. */
+        X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+        X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+    }
+#endif
+
      return (PyObject *)self;
  }
author	Benjamin Peterson <benjamin@python.org>
	Thu, 5 Mar 2015 03:11:12 +0000 (22:11 -0500)
committer	Benjamin Peterson <benjamin@python.org>
	Thu, 5 Mar 2015 03:11:12 +0000 (22:11 -0500)
Misc/NEWS		patch \| blob \| blame \| history
Modules/_ssl.c		patch \| blob \| blame \| history