Commit f5b37602 authored by Benjamin Peterson's avatar Benjamin Peterson

enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)

parent c4c79830
...@@ -18,6 +18,9 @@ Core and Builtins ...@@ -18,6 +18,9 @@ Core and Builtins
Library Library
------- -------
- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST
flag on certificate stores when it is available.
- Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the - Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the
SSL layer but the underlying connection hasn't been closed. SSL layer but the underlying connection hasn't been closed.
......
...@@ -2072,6 +2072,15 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) ...@@ -2072,6 +2072,15 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
sizeof(SID_CTX)); sizeof(SID_CTX));
#undef SID_CTX #undef SID_CTX
#ifdef X509_V_FLAG_TRUSTED_FIRST
{
/* Improve trust chain building when cross-signed intermediate
certificates are present. See https://bugs.python.org/issue23476. */
X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
}
#endif
return (PyObject *)self; return (PyObject *)self;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment