diff --git a/configure.ac b/configure.ac index 9c2f61572..ae915db85 100644 --- a/configure.ac +++ b/configure.ac @@ -6985,6 +6985,7 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRUST_PEER_CERT" AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS" ENABLED_TRUSTED_PEER_CERT=yes fi diff --git a/src/internal.c b/src/internal.c index c2d631820..579901f96 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12348,15 +12348,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = MAX_CHAIN_ERROR; } #endif - /* Do verify callback */ - ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); - if (ssl->options.verifyNone && - (ret == CRL_MISSING || ret == CRL_CERT_REVOKED || - ret == CRL_CERT_DATE_ERR)) { - WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); - ret = ssl->error = 0; - } - #ifdef WOLFSSL_ALT_CERT_CHAINS /* For alternate cert chain, its okay for a CA cert to fail with ASN_NO_SIGNER_E here. The "alternate" certificate @@ -12380,6 +12371,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, skipAddCA = 1; } #endif /* WOLFSSL_ALT_CERT_CHAINS */ + + /* Do verify callback */ + ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); + if (ssl->options.verifyNone && + (ret == CRL_MISSING || ret == CRL_CERT_REVOKED || + ret == CRL_CERT_DATE_ERR)) { + WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); + ret = ssl->error = 0; + } + + /* If valid CA then add to Certificate Manager */ if (ret == 0 && args->dCert->isCA &&