Don't check self signed certificate signature security.

author Dr. Stephen Henson <steve@openssl.org>

Thu, 11 Feb 2016 15:25:11 +0000 (15:25 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Thu, 11 Feb 2016 19:00:41 +0000 (19:00 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Thu, 11 Feb 2016 15:25:11 +0000 (15:25 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Thu, 11 Feb 2016 19:00:41 +0000 (19:00 +0000)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index e0e0cb95ac7985ae77d23271ba5be78b773d48da..d7a6f954b464b078bc92b1f59ba26aa8652edb6b 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -4122,6 +4122,9 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  {
      /* Lookup signature algorithm digest */
      int secbits = -1, md_nid = NID_undef, sig_nid;
+    /* Don't check signature if self signed */
+    if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
+        return 1;
      sig_nid = X509_get_signature_nid(x);
      if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
          const EVP_MD *md;
author	Dr. Stephen Henson <steve@openssl.org>
	Thu, 11 Feb 2016 15:25:11 +0000 (15:25 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Thu, 11 Feb 2016 19:00:41 +0000 (19:00 +0000)