From 691a45c477c4950bfd7c325913a8c30ec9972028 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 1 Nov 2021 15:01:50 +0100 Subject: TLS: OpenSSL 1.0.2 workaround Let's Encrypt Expiry ...of cross-signed certificate. --- socket.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'socket.c') diff --git a/socket.c b/socket.c index b7be292c..8887c094 100644 --- a/socket.c +++ b/socket.c @@ -1210,7 +1210,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck } } - /* OpenSSL >= 1.0.2: set host name for verification */ + /* set host name for verification, only available since OpenSSL 1.0.2 */ /* XXX FIXME: do we need to change the function's signature and pass the akalist to * permit the other hostnames through SSL? */ /* https://wiki.openssl.org/index.php/Hostname_validation */ @@ -1224,6 +1224,20 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck (void *)_ssl_context[sock], servercname, r); ERR_print_errors_fp(stderr); } + + /* OpenSSL 1.0.2 and 1.0.2 only: + * work around Let's Encrypt Cross-Signing Certificate Expiry, + * https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ + * Workaround #2 */ + /* OpenSSL 1.x.x: 0xMNNFFPPSL: major minor fix patch status + * OpenSSL 3.0.0: 0xMNN00PPSL: synthesized */ + /* 0xMNNFFPPsL 0xMNNFFPPsL */ + if (0x1000200fL == (ver & 0xfffff000L)) { + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST); + } + + /* param is a pointer to internal OpenSSL data, must not be freed, + * and just goes out of scope */ } if( mycert || mykey ) { -- cgit v1.2.3