From b4630ed8faef1834e2b64f30acc24e5101d4d2fb Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Fri, 31 Oct 2025 17:57:53 +0100 Subject: [PATCH] sectrust: fix verifystatus via sectrust When openssl does not verify the certificate, but apple sectrust does, we also pass it the ocsp stapled response when configured and available. When openssl does not verify the cert chain, it will also not be able to verify the ocsp stapling. Do not call it if sectrust is the verifier of the cert chain. Fixes #19307 Reported-by: Harry Sintonen Closes #19308 --- lib/vtls/openssl.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index a2b2da00e0..5796960c6c 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -5155,6 +5155,9 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf, bool strict = (conn_config->verifypeer || conn_config->verifyhost); X509 *server_cert; bool verified = FALSE; +#ifdef USE_APPLE_SECTRUST + bool sectrust_verified = FALSE; +#endif if(data->set.ssl.certinfo && !octx->reused_session) { /* asked to gather certificate info. Reused sessions don't have cert @@ -5207,6 +5210,7 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf, if(verified) { infof(data, "SSL certificate verified via Apple SecTrust."); ssl_config->certverifyresult = X509_V_OK; + sectrust_verified = TRUE; } } #endif @@ -5222,7 +5226,13 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf, } #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP) - if(conn_config->verifystatus && !octx->reused_session) { + if(conn_config->verifystatus && +#ifdef USE_APPLE_SECTRUST + !sectrust_verified && /* already verified via apple sectrust, cannot + * verifystate via OpenSSL in that case as it + * does not have the trust anchors */ +#endif + !octx->reused_session) { /* do not do this after Session ID reuse */ result = verifystatus(cf, data, octx); if(result) -- 2.47.3