enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)

b1ebba5b · Benjamin Peterson · 34c8d983 · b1ebba5b · b1ebba5b
Commit b1ebba5b authored Mar 04, 2015 by Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

Misc/NEWS Misc/NEWS +3 -0

Modules/_ssl.c Modules/_ssl.c +9 -0

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,9 @@ Core and Builtins
 Library
 -------
+- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST
+  flag on certificate stores when it is available.
 - Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the
  SSL layer but the underlying connection hasn't been closed.

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2072,6 +2072,15 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
                                   sizeof(SID_CTX));
 #undef SID_CTX
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    {
+        /* Improve trust chain building when cross-signed intermediate
+           certificates are present. See https://bugs.python.org/issue23476. */
+        X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+        X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+    }
+#endif
    return (PyObject *)self;
 }