enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)
diff --git a/Misc/NEWS b/Misc/NEWS
index c480033..1999d84 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,9 @@
Library
-------
+- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST
+ flag on certificate stores when it is available.
+
- Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the
SSL layer but the underlying connection hasn't been closed.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index f9d66a1..309d00b 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2072,6 +2072,15 @@
sizeof(SID_CTX));
#undef SID_CTX
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+ {
+ /* Improve trust chain building when cross-signed intermediate
+ certificates are present. See https://bugs.python.org/issue23476. */
+ X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+ X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+ }
+#endif
+
return (PyObject *)self;
}