projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Update from 1.0.0-stable.
[openssl.git] / crypto / x509 / x509_vfy.c
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index dd4065b0ceb6ac545e7b1a65e84d736b5709b9bc..200a9cc0b6bab27359e1aeb99c58d021a3d8cefa 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
                {
                ctx->error_depth=n;
 
-               /* Skip signature check for self signed certificates. It
-                * doesn't add any security and just wastes time.
+               /* Skip signature check for self signed certificates unless
+                * explicitly asked for. It doesn't add any security and
+                * just wastes time.
                 */
-               if (!xs->valid && xs != xi)
+               if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
                        {
                        if ((pkey=X509_get_pubkey(xi)) == NULL)
                                {
Unnamed repository; edit this file 'description' to name the repository.