Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / b1ebba5bd569ede9b6f9573d6618fb3a6abddae5^! / .
commitb1ebba5bd569ede9b6f9573d6618fb3a6abddae5[log] [tgz]
authorBenjamin Peterson <benjamin@python.org>Wed Mar 04 22:11:12 2015 -0500
committerBenjamin Peterson <benjamin@python.org>Wed Mar 04 22:11:12 2015 -0500
tree5dbb4bf92d461244db3722469bc6eb45df7534d5
parent34c8d9830699c9695284862b879e28480596330d [diff]
enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)

diff --git a/Misc/NEWS b/Misc/NEWS
index c480033..1999d84 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS

@@ -18,6 +18,9 @@
 Library
 -------
 
+- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST
+  flag on certificate stores when it is available.
+
 - Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the
   SSL layer but the underlying connection hasn't been closed.
 

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index f9d66a1..309d00b 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c

@@ -2072,6 +2072,15 @@
                                    sizeof(SID_CTX));
 #undef SID_CTX
 
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    {
+        /* Improve trust chain building when cross-signed intermediate
+           certificates are present. See https://bugs.python.org/issue23476. */
+        X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+        X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+    }
+#endif
+
     return (PyObject *)self;
 }