feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix WOLFSSL_SYS_CA_CERTS bug that accepted intermediate CA certs with invalid

Browse Source 
signatures. Also adds --sys-ca-certs to client in unit.test to detect
regressions
This commit is contained in:
Brett
2023-10-19 13:37:28 -06:00
parent a3bf7a66a4
commit dd12e5a39e
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/internal.c
View File

@@ -14223,7 +14223,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* If we are using native Apple CA validation, it is okay /* If we are using native Apple CA validation, it is okay
* for a CA cert to fail validation here, as we will verify * for a CA cert to fail validation here, as we will verify
* the entire chain when we hit the peer (leaf) cert */ * the entire chain when we hit the peer (leaf) cert */
if (ssl->ctx->doAppleNativeCertValidationFlag) { if ((ssl->ctx->doAppleNativeCertValidationFlag)
&& (ret == ASN_NO_SIGNER_E)) {
WOLFSSL_MSG("Bypassing errors to allow for Apple native" WOLFSSL_MSG("Bypassing errors to allow for Apple native"
" CA validation"); " CA validation");
ret = 0; /* clear errors and continue */ ret = 0; /* clear errors and continue */