projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 505d44c) | patch
Prioritise DANE TLSA issuer certs over peer certs
authorViktor Dukhovni <openssl-users@dukhovni.org>
Mon, 30 Aug 2021 18:17:16 +0000 (14:17 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Fri, 3 Sep 2021 04:10:03 +0000 (00:10 -0400)
commit661de442e4231a9b0411dc8562f9e465d1d7fabc
tree6b1fa5605d53dc0cd494308177d192b294a827fatree | snapshot
parent505d44c623c2a883cf015f26a499842cea0161f0commit | diff
Prioritise DANE TLSA issuer certs over peer certs

When building the certificate chain, prioritise any Cert(0) Full(0)
certificates from TLSA records over certificates received from the peer.

This is important when the server sends a cross cert, but TLSA records include
the underlying root CA cert.  We want to construct a chain with the issuer from
the TLSA record, which can then match the TLSA records (while the associated
cross cert may not).

Reviewed-by: Tomáš Mráz <tomas@openssl.org>
crypto/x509/x509_vfy.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.