add alternative certificate chain discovery support from upstream
This commit is contained in:
parent
a1fb602a95
commit
d743a79756
527
openssl-1.0.2a-alt-chains.patch
Normal file
527
openssl-1.0.2a-alt-chains.patch
Normal file
@ -0,0 +1,527 @@
|
||||
diff -up openssl-1.0.2a/apps/apps.c.alt-chains openssl-1.0.2a/apps/apps.c
|
||||
--- openssl-1.0.2a/apps/apps.c.alt-chains 2015-03-19 14:30:36.000000000 +0100
|
||||
+++ openssl-1.0.2a/apps/apps.c 2015-04-28 16:49:50.124558770 +0200
|
||||
@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *parg
|
||||
flags |= X509_V_FLAG_SUITEB_192_LOS;
|
||||
else if (!strcmp(arg, "-partial_chain"))
|
||||
flags |= X509_V_FLAG_PARTIAL_CHAIN;
|
||||
+ else if (!strcmp(arg, "-no_alt_chains"))
|
||||
+ flags |= X509_V_FLAG_NO_ALT_CHAINS;
|
||||
else
|
||||
return 0;
|
||||
|
||||
diff -up openssl-1.0.2a/apps/cms.c.alt-chains openssl-1.0.2a/apps/cms.c
|
||||
--- openssl-1.0.2a/apps/cms.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
|
||||
+++ openssl-1.0.2a/apps/cms.c 2015-04-28 16:49:50.125558793 +0200
|
||||
@@ -648,6 +648,8 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf(bio_err,
|
||||
"-trusted_first use trusted certificates first when building the trust chain\n");
|
||||
BIO_printf(bio_err,
|
||||
+ "-no_alt_chains only ever use the first certificate chain found\n");
|
||||
+ BIO_printf(bio_err,
|
||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||
BIO_printf(bio_err,
|
||||
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||
diff -up openssl-1.0.2a/apps/ocsp.c.alt-chains openssl-1.0.2a/apps/ocsp.c
|
||||
--- openssl-1.0.2a/apps/ocsp.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
|
||||
+++ openssl-1.0.2a/apps/ocsp.c 2015-04-28 16:49:50.125558793 +0200
|
||||
@@ -538,6 +538,8 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf(bio_err,
|
||||
"-trusted_first use trusted certificates first when building the trust chain\n");
|
||||
BIO_printf(bio_err,
|
||||
+ "-no_alt_chains only ever use the first certificate chain found\n");
|
||||
+ BIO_printf(bio_err,
|
||||
"-VAfile file validator certificates file\n");
|
||||
BIO_printf(bio_err,
|
||||
"-validity_period n maximum validity discrepancy in seconds\n");
|
||||
diff -up openssl-1.0.2a/apps/s_client.c.alt-chains openssl-1.0.2a/apps/s_client.c
|
||||
--- openssl-1.0.2a/apps/s_client.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
|
||||
+++ openssl-1.0.2a/apps/s_client.c 2015-04-28 16:49:50.126558815 +0200
|
||||
@@ -335,6 +335,8 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err,
|
||||
" -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||
BIO_printf(bio_err,
|
||||
+ " -no_alt_chains - only ever use the first certificate chain found\n");
|
||||
+ BIO_printf(bio_err,
|
||||
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||
BIO_printf(bio_err,
|
||||
" -pause - sleep(1) after each read(2) and write(2) system call\n");
|
||||
diff -up openssl-1.0.2a/apps/smime.c.alt-chains openssl-1.0.2a/apps/smime.c
|
||||
--- openssl-1.0.2a/apps/smime.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
|
||||
+++ openssl-1.0.2a/apps/smime.c 2015-04-28 16:49:50.128558861 +0200
|
||||
@@ -444,6 +444,8 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf(bio_err,
|
||||
"-trusted_first use trusted certificates first when building the trust chain\n");
|
||||
BIO_printf(bio_err,
|
||||
+ "-no_alt_chains only ever use the first certificate chain found\n");
|
||||
+ BIO_printf(bio_err,
|
||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||
BIO_printf(bio_err,
|
||||
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||
diff -up openssl-1.0.2a/apps/s_server.c.alt-chains openssl-1.0.2a/apps/s_server.c
|
||||
--- openssl-1.0.2a/apps/s_server.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
|
||||
+++ openssl-1.0.2a/apps/s_server.c 2015-04-28 16:49:50.128558861 +0200
|
||||
@@ -571,6 +571,8 @@ static void sv_usage(void)
|
||||
BIO_printf(bio_err,
|
||||
" -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||
BIO_printf(bio_err,
|
||||
+ " -no_alt_chains - only ever use the first certificate chain found\n");
|
||||
+ BIO_printf(bio_err,
|
||||
" -nocert - Don't use any certificates (Anon-DH)\n");
|
||||
BIO_printf(bio_err,
|
||||
" -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
||||
diff -up openssl-1.0.2a/apps/verify.c.alt-chains openssl-1.0.2a/apps/verify.c
|
||||
--- openssl-1.0.2a/apps/verify.c.alt-chains 2015-04-28 16:49:50.128558861 +0200
|
||||
+++ openssl-1.0.2a/apps/verify.c 2015-04-28 16:50:52.210974346 +0200
|
||||
@@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
|
||||
if (ret == 1) {
|
||||
BIO_printf(bio_err,
|
||||
"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
||||
- BIO_printf(bio_err, " [-attime timestamp]");
|
||||
+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
BIO_printf(bio_err, " [-engine e]");
|
||||
#endif
|
||||
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains 2015-04-23 10:22:56.188684277 +0200
|
||||
+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-28 17:03:40.478786778 +0200
|
||||
@@ -189,11 +189,11 @@ static X509 *lookup_cert_match(X509_STOR
|
||||
|
||||
int X509_verify_cert(X509_STORE_CTX *ctx)
|
||||
{
|
||||
- X509 *x, *xtmp, *chain_ss = NULL;
|
||||
+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
|
||||
int bad_chain = 0;
|
||||
X509_VERIFY_PARAM *param = ctx->param;
|
||||
int depth, i, ok = 0;
|
||||
- int num;
|
||||
+ int num, j, retry;
|
||||
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
||||
STACK_OF(X509) *sktmp = NULL;
|
||||
if (ctx->cert == NULL) {
|
||||
@@ -278,91 +278,136 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||
break;
|
||||
}
|
||||
|
||||
+ /* Remember how many untrusted certs we have */
|
||||
+ j = num;
|
||||
/*
|
||||
* at this point, chain should contain a list of untrusted certificates.
|
||||
* We now need to add at least one trusted one, if possible, otherwise we
|
||||
* complain.
|
||||
*/
|
||||
|
||||
- /*
|
||||
- * Examine last certificate in chain and see if it is self signed.
|
||||
- */
|
||||
-
|
||||
- i = sk_X509_num(ctx->chain);
|
||||
- x = sk_X509_value(ctx->chain, i - 1);
|
||||
- if (cert_self_signed(x)) {
|
||||
- /* we have a self signed certificate */
|
||||
- if (sk_X509_num(ctx->chain) == 1) {
|
||||
- /*
|
||||
- * We have a single self signed certificate: see if we can find
|
||||
- * it in the store. We must have an exact match to avoid possible
|
||||
- * impersonation.
|
||||
- */
|
||||
- ok = ctx->get_issuer(&xtmp, ctx, x);
|
||||
- if ((ok <= 0) || X509_cmp(x, xtmp)) {
|
||||
- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
|
||||
- ctx->current_cert = x;
|
||||
- ctx->error_depth = i - 1;
|
||||
- if (ok == 1)
|
||||
- X509_free(xtmp);
|
||||
- bad_chain = 1;
|
||||
- ok = cb(0, ctx);
|
||||
- if (!ok)
|
||||
- goto end;
|
||||
+ do {
|
||||
+ /*
|
||||
+ * Examine last certificate in chain and see if it is self signed.
|
||||
+ */
|
||||
+ i = sk_X509_num(ctx->chain);
|
||||
+ x = sk_X509_value(ctx->chain, i - 1);
|
||||
+ if (cert_self_signed(x)) {
|
||||
+ /* we have a self signed certificate */
|
||||
+ if (sk_X509_num(ctx->chain) == 1) {
|
||||
+ /*
|
||||
+ * We have a single self signed certificate: see if we can
|
||||
+ * find it in the store. We must have an exact match to avoid
|
||||
+ * possible impersonation.
|
||||
+ */
|
||||
+ ok = ctx->get_issuer(&xtmp, ctx, x);
|
||||
+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
|
||||
+ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
|
||||
+ ctx->current_cert = x;
|
||||
+ ctx->error_depth = i - 1;
|
||||
+ if (ok == 1)
|
||||
+ X509_free(xtmp);
|
||||
+ bad_chain = 1;
|
||||
+ ok = cb(0, ctx);
|
||||
+ if (!ok)
|
||||
+ goto end;
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * We have a match: replace certificate with store
|
||||
+ * version so we get any trust settings.
|
||||
+ */
|
||||
+ X509_free(x);
|
||||
+ x = xtmp;
|
||||
+ (void)sk_X509_set(ctx->chain, i - 1, x);
|
||||
+ ctx->last_untrusted = 0;
|
||||
+ }
|
||||
} else {
|
||||
/*
|
||||
- * We have a match: replace certificate with store version so
|
||||
- * we get any trust settings.
|
||||
+ * extract and save self signed certificate for later use
|
||||
*/
|
||||
- X509_free(x);
|
||||
- x = xtmp;
|
||||
- (void)sk_X509_set(ctx->chain, i - 1, x);
|
||||
- ctx->last_untrusted = 0;
|
||||
+ chain_ss = sk_X509_pop(ctx->chain);
|
||||
+ ctx->last_untrusted--;
|
||||
+ num--;
|
||||
+ j--;
|
||||
+ x = sk_X509_value(ctx->chain, num - 1);
|
||||
}
|
||||
- } else {
|
||||
- /*
|
||||
- * extract and save self signed certificate for later use
|
||||
- */
|
||||
- chain_ss = sk_X509_pop(ctx->chain);
|
||||
- ctx->last_untrusted--;
|
||||
- num--;
|
||||
- x = sk_X509_value(ctx->chain, num - 1);
|
||||
}
|
||||
- }
|
||||
-
|
||||
- /* We now lookup certs from the certificate store */
|
||||
- for (;;) {
|
||||
- /* If we have enough, we break */
|
||||
- if (depth < num)
|
||||
- break;
|
||||
+ /* We now lookup certs from the certificate store */
|
||||
+ for (;;) {
|
||||
+ /* If we have enough, we break */
|
||||
+ if (depth < num)
|
||||
+ break;
|
||||
+ /* If we are self signed, we break */
|
||||
+ if (cert_self_signed(x))
|
||||
+ break;
|
||||
+ ok = ctx->get_issuer(&xtmp, ctx, x);
|
||||
|
||||
- /* If we are self signed, we break */
|
||||
- if (cert_self_signed(x))
|
||||
- break;
|
||||
+ if (ok < 0)
|
||||
+ return ok;
|
||||
+ if (ok == 0)
|
||||
+ break;
|
||||
+ x = xtmp;
|
||||
+ if (!sk_X509_push(ctx->chain, x)) {
|
||||
+ X509_free(xtmp);
|
||||
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ num++;
|
||||
+ }
|
||||
|
||||
- ok = ctx->get_issuer(&xtmp, ctx, x);
|
||||
+ /* we now have our chain, lets check it... */
|
||||
+ i = check_trust(ctx);
|
||||
|
||||
- if (ok < 0)
|
||||
- return ok;
|
||||
- if (ok == 0)
|
||||
- break;
|
||||
+ /* If explicitly rejected error */
|
||||
+ if (i == X509_TRUST_REJECTED)
|
||||
+ goto end;
|
||||
+ /*
|
||||
+ * If it's not explicitly trusted then check if there is an alternative
|
||||
+ * chain that could be used. We only do this if we haven't already
|
||||
+ * checked via TRUSTED_FIRST and the user hasn't switched off alternate
|
||||
+ * chain checking
|
||||
+ */
|
||||
+ retry = 0;
|
||||
+ if (i != X509_TRUST_TRUSTED
|
||||
+ && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
|
||||
+ && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
|
||||
+ while (j-- > 1) {
|
||||
+ STACK_OF(X509) *chtmp = ctx->chain;
|
||||
+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
|
||||
+ /*
|
||||
+ * Temporarily set chain to NULL so we don't discount
|
||||
+ * duplicates: the same certificate could be an untrusted
|
||||
+ * CA found in the trusted store.
|
||||
+ */
|
||||
+ ctx->chain = NULL;
|
||||
+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
|
||||
+ ctx->chain = chtmp;
|
||||
+ if (ok < 0)
|
||||
+ goto end;
|
||||
+ /* Check if we found an alternate chain */
|
||||
+ if (ok > 0) {
|
||||
+ /*
|
||||
+ * Free up the found cert we'll add it again later
|
||||
+ */
|
||||
+ X509_free(xtmp);
|
||||
|
||||
- x = xtmp;
|
||||
- if (!sk_X509_push(ctx->chain, x)) {
|
||||
- X509_free(xtmp);
|
||||
- X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
|
||||
- return 0;
|
||||
+ /*
|
||||
+ * Dump all the certs above this point - we've found an
|
||||
+ * alternate chain
|
||||
+ */
|
||||
+ while (num > j) {
|
||||
+ xtmp = sk_X509_pop(ctx->chain);
|
||||
+ X509_free(xtmp);
|
||||
+ num--;
|
||||
+ ctx->last_untrusted--;
|
||||
+ }
|
||||
+ retry = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
- num++;
|
||||
- }
|
||||
+ } while (retry);
|
||||
|
||||
- /* we now have our chain, lets check it... */
|
||||
-
|
||||
- i = check_trust(ctx);
|
||||
-
|
||||
- /* If explicitly rejected error */
|
||||
- if (i == X509_TRUST_REJECTED)
|
||||
- goto end;
|
||||
/*
|
||||
* If not explicitly trusted then indicate error unless it's a single
|
||||
* self signed certificate in which case we've indicated an error already
|
||||
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.h
|
||||
--- openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains 2015-04-23 10:22:56.016679751 +0200
|
||||
+++ openssl-1.0.2a/crypto/x509/x509_vfy.h 2015-04-28 16:49:18.551838908 +0200
|
||||
@@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
||||
|
||||
/* Allow partial chains if at least one certificate is in trusted store */
|
||||
# define X509_V_FLAG_PARTIAL_CHAIN 0x80000
|
||||
+/*
|
||||
+ * If the initial chain is not trusted, do not attempt to build an alternative
|
||||
+ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
|
||||
+ * will force the behaviour to match that of previous versions.
|
||||
+ */
|
||||
+# define X509_V_FLAG_NO_ALT_CHAINS 0x100000
|
||||
|
||||
# define X509_VP_FLAG_DEFAULT 0x1
|
||||
# define X509_VP_FLAG_OVERWRITE 0x2
|
||||
diff -up openssl-1.0.2a/doc/apps/cms.pod.alt-chains openssl-1.0.2a/doc/apps/cms.pod
|
||||
--- openssl-1.0.2a/doc/apps/cms.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
||||
+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-28 16:54:17.537682406 +0200
|
||||
@@ -36,6 +36,7 @@ B<openssl> B<cms>
|
||||
[B<-CAfile file>]
|
||||
[B<-CApath dir>]
|
||||
[B<-trusted_first>]
|
||||
+[B<-no_alt_chains>]
|
||||
[B<-md digest>]
|
||||
[B<-[cipher]>]
|
||||
[B<-nointern>]
|
||||
@@ -426,7 +427,7 @@ portion of a message so they may be incl
|
||||
then many S/MIME mail clients check the signers certificate's email
|
||||
address matches that specified in the From: address.
|
||||
|
||||
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
|
||||
|
||||
Set various certificate chain valiadition option. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
@@ -662,4 +663,6 @@ Support for RSA-OAEP and RSA-PSS was fir
|
||||
The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
|
||||
to OpenSSL 1.1.0.
|
||||
|
||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
||||
+
|
||||
=cut
|
||||
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains openssl-1.0.2a/doc/apps/ocsp.pod
|
||||
--- openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
||||
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-28 16:53:44.564914852 +0200
|
||||
@@ -30,6 +30,7 @@ B<openssl> B<ocsp>
|
||||
[B<-CApath dir>]
|
||||
[B<-CAfile file>]
|
||||
[B<-trusted_first>]
|
||||
+[B<-no_alt_chains>]
|
||||
[B<-VAfile file>]
|
||||
[B<-validity_period n>]
|
||||
[B<-status_age n>]
|
||||
@@ -151,6 +152,10 @@ in the response or residing in other cer
|
||||
chain to verify responder certificate.
|
||||
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||
|
||||
+=item B<-no_alt_chains>
|
||||
+
|
||||
+See L<B<verify>|verify(1)> manual page for details.
|
||||
+
|
||||
=item B<-verify_other file>
|
||||
|
||||
file containing additional certificates to search when attempting to locate
|
||||
@@ -388,3 +393,9 @@ second file.
|
||||
|
||||
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
|
||||
-reqin req.der -respout resp.der
|
||||
+
|
||||
+=head1 HISTORY
|
||||
+
|
||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
||||
+
|
||||
+=cut
|
||||
diff -up openssl-1.0.2a/doc/apps/s_client.pod.alt-chains openssl-1.0.2a/doc/apps/s_client.pod
|
||||
--- openssl-1.0.2a/doc/apps/s_client.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
||||
+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-28 16:55:24.812248450 +0200
|
||||
@@ -20,6 +20,7 @@ B<openssl> B<s_client>
|
||||
[B<-CApath directory>]
|
||||
[B<-CAfile filename>]
|
||||
[B<-trusted_first>]
|
||||
+[B<-no_alt_chains>]
|
||||
[B<-reconnect>]
|
||||
[B<-pause>]
|
||||
[B<-showcerts>]
|
||||
@@ -124,7 +125,7 @@ also used when building the client certi
|
||||
A file containing trusted certificates to use during server authentication
|
||||
and to use when attempting to build the client certificate chain.
|
||||
|
||||
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
|
||||
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
|
||||
|
||||
Set various certificate chain valiadition option. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
@@ -365,4 +366,8 @@ information whenever a session is renego
|
||||
|
||||
L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
|
||||
|
||||
+=head1 HISTORY
|
||||
+
|
||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
||||
+
|
||||
=cut
|
||||
diff -up openssl-1.0.2a/doc/apps/smime.pod.alt-chains openssl-1.0.2a/doc/apps/smime.pod
|
||||
--- openssl-1.0.2a/doc/apps/smime.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
||||
+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-28 16:57:33.598246384 +0200
|
||||
@@ -18,6 +18,7 @@ B<openssl> B<smime>
|
||||
[B<-CAfile file>]
|
||||
[B<-CApath dir>]
|
||||
[B<-trusted_first>]
|
||||
+[B<-no_alt_chains>]
|
||||
[B<-certfile file>]
|
||||
[B<-signer file>]
|
||||
[B<-recip file>]
|
||||
@@ -268,7 +269,7 @@ portion of a message so they may be incl
|
||||
then many S/MIME mail clients check the signers certificate's email
|
||||
address matches that specified in the From: address.
|
||||
|
||||
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
|
||||
|
||||
Set various options of certificate chain verification. See
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
@@ -450,5 +451,6 @@ structures may cause parsing errors.
|
||||
The use of multiple B<-signer> options and the B<-resign> command were first
|
||||
added in OpenSSL 1.0.0
|
||||
|
||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
||||
|
||||
=cut
|
||||
diff -up openssl-1.0.2a/doc/apps/s_server.pod.alt-chains openssl-1.0.2a/doc/apps/s_server.pod
|
||||
--- openssl-1.0.2a/doc/apps/s_server.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
||||
+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-28 16:56:27.494707598 +0200
|
||||
@@ -34,6 +34,7 @@ B<openssl> B<s_server>
|
||||
[B<-CApath directory>]
|
||||
[B<-CAfile filename>]
|
||||
[B<-trusted_first>]
|
||||
+[B<-no_alt_chains>]
|
||||
[B<-nocert>]
|
||||
[B<-cipher cipherlist>]
|
||||
[B<-serverpref>]
|
||||
@@ -181,6 +182,10 @@ Use certificates in CA file or CA direct
|
||||
when building the trust chain to verify client certificates.
|
||||
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||
|
||||
+=item B<-no_alt_chains>
|
||||
+
|
||||
+See the L<B<verify>|verify(1)> manual page for details.
|
||||
+
|
||||
=item B<-state>
|
||||
|
||||
prints out the SSL session states.
|
||||
@@ -413,4 +418,8 @@ unknown cipher suites a client says it s
|
||||
|
||||
L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
|
||||
|
||||
+=head1 HISTORY
|
||||
+
|
||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
||||
+
|
||||
=cut
|
||||
diff -up openssl-1.0.2a/doc/apps/verify.pod.alt-chains openssl-1.0.2a/doc/apps/verify.pod
|
||||
--- openssl-1.0.2a/doc/apps/verify.pod.alt-chains 2015-04-23 10:22:56.228685330 +0200
|
||||
+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-28 16:52:22.544033948 +0200
|
||||
@@ -26,6 +26,7 @@ B<openssl> B<verify>
|
||||
[B<-extended_crl>]
|
||||
[B<-use_deltas>]
|
||||
[B<-policy_print>]
|
||||
+[B<-no_alt_chains>]
|
||||
[B<-untrusted file>]
|
||||
[B<-help>]
|
||||
[B<-issuer_checks>]
|
||||
@@ -131,6 +132,14 @@ Set policy variable inhibit-any-policy (
|
||||
|
||||
Set policy variable inhibit-policy-mapping (see RFC5280).
|
||||
|
||||
+=item B<-no_alt_chains>
|
||||
+
|
||||
+When building a certificate chain, if the first certificate chain found is not
|
||||
+trusted, then OpenSSL will continue to check to see if an alternative chain can
|
||||
+be found that is trusted. With this option that behaviour is suppressed so that
|
||||
+only the first chain found is ever used. Using this option will force the
|
||||
+behaviour to match that of previous OpenSSL versions.
|
||||
+
|
||||
=item B<-policy_print>
|
||||
|
||||
Print out diagnostics related to policy processing.
|
||||
@@ -432,4 +441,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CER
|
||||
|
||||
L<x509(1)|x509(1)>
|
||||
|
||||
+=head1 HISTORY
|
||||
+
|
||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
||||
+
|
||||
=cut
|
||||
diff -up openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
|
||||
--- openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-03-19 14:30:36.000000000 +0100
|
||||
+++ openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-04-28 16:52:22.544033948 +0200
|
||||
@@ -197,6 +197,12 @@ verification. If this flag is set then a
|
||||
to the verification callback and it B<must> be prepared to handle such cases
|
||||
without assuming they are hard errors.
|
||||
|
||||
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
|
||||
+chains. By default, when building a certificate chain, if the first certificate
|
||||
+chain found is not trusted, then OpenSSL will continue to check to see if an
|
||||
+alternative chain can be found that is trusted. With this flag set the behaviour
|
||||
+will match that of OpenSSL versions prior to 1.0.2b.
|
||||
+
|
||||
=head1 NOTES
|
||||
|
||||
The above functions should be used to manipulate verification parameters
|
||||
@@ -233,6 +239,6 @@ L<X509_check_ip(3)|X509_check_ip(3)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
-TBA
|
||||
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b
|
||||
|
||||
=cut
|
15
openssl.spec
15
openssl.spec
@ -23,7 +23,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.2a
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -78,14 +78,15 @@ Patch74: openssl-1.0.2a-no-md5-verify.patch
|
||||
Patch75: openssl-1.0.2a-compat-symbols.patch
|
||||
Patch76: openssl-1.0.2a-new-fips-reqs.patch
|
||||
Patch77: openssl-1.0.2a-weak-ciphers.patch
|
||||
Patch78: openssl-1.0.2a-cc-reqs.patch
|
||||
Patch90: openssl-1.0.2a-enc-fail.patch
|
||||
Patch92: openssl-1.0.2a-system-cipherlist.patch
|
||||
Patch93: openssl-1.0.2a-disable-sslv2v3.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch80: openssl-1.0.2a-wrap-pad.patch
|
||||
Patch81: openssl-1.0.2a-padlock64.patch
|
||||
Patch84: openssl-1.0.2a-trusted-first-doc.patch
|
||||
Patch87: openssl-1.0.2a-cc-reqs.patch
|
||||
Patch82: openssl-1.0.2a-trusted-first-doc.patch
|
||||
Patch83: openssl-1.0.2a-alt-chains.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -198,14 +199,15 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
||||
%patch75 -p1 -b .compat
|
||||
%patch76 -p1 -b .fips-reqs
|
||||
%patch77 -p1 -b .weak-ciphers
|
||||
%patch78 -p1 -b .cc-reqs
|
||||
%patch90 -p1 -b .enc-fail
|
||||
%patch92 -p1 -b .system
|
||||
%patch93 -p1 -b .v2v3
|
||||
|
||||
%patch80 -p1 -b .wrap
|
||||
%patch81 -p1 -b .padlock64
|
||||
%patch84 -p1 -b .trusted-first
|
||||
%patch87 -p1 -b .cc-reqs
|
||||
%patch82 -p1 -b .trusted-first
|
||||
%patch83 -p1 -b .alt-chains
|
||||
|
||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||
|
||||
@ -473,6 +475,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Tue Apr 28 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2a-2
|
||||
- add alternative certificate chain discovery support from upstream
|
||||
|
||||
* Thu Apr 23 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2a-1
|
||||
- rebase to 1.0.2 branch
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user