From: Stefan Eissing Date: Fri, 31 Oct 2025 16:57:53 +0000 (+0100) Subject: sectrust: fix verifystatus via sectrust X-Git-Tag: curl-8_17_0~44 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4630ed8faef1834e2b64f30acc24e5101d4d2fb;p=thirdparty%2Fcurl.git sectrust: fix verifystatus via sectrust When openssl does not verify the certificate, but apple sectrust does, we also pass it the ocsp stapled response when configured and available. When openssl does not verify the cert chain, it will also not be able to verify the ocsp stapling. Do not call it if sectrust is the verifier of the cert chain. Fixes #19307 Reported-by: Harry Sintonen Closes #19308 --- diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index a2b2da00e0..5796960c6c 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -5155,6 +5155,9 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf, bool strict = (conn_config->verifypeer || conn_config->verifyhost); X509 *server_cert; bool verified = FALSE; +#ifdef USE_APPLE_SECTRUST + bool sectrust_verified = FALSE; +#endif if(data->set.ssl.certinfo && !octx->reused_session) { /* asked to gather certificate info. Reused sessions don't have cert @@ -5207,6 +5210,7 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf, if(verified) { infof(data, "SSL certificate verified via Apple SecTrust."); ssl_config->certverifyresult = X509_V_OK; + sectrust_verified = TRUE; } } #endif @@ -5222,7 +5226,13 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf, } #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP) - if(conn_config->verifystatus && !octx->reused_session) { + if(conn_config->verifystatus && +#ifdef USE_APPLE_SECTRUST + !sectrust_verified && /* already verified via apple sectrust, cannot + * verifystate via OpenSSL in that case as it + * does not have the trust anchors */ +#endif + !octx->reused_session) { /* do not do this after Session ID reuse */ result = verifystatus(cf, data, octx); if(result)