wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 02:37:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix WOLFSSL_SYS_CA_CERTS bug that accepted intermediate CA certs with invalid

Browse Source 
signatures. Also adds --sys-ca-certs to client in unit.test to detect
regressions
This commit is contained in:
Brett
2023-10-19 13:37:28 -06:00
parent a3bf7a66a4
commit dd12e5a39e
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/internal.c
View File

@ -14223,7 +14223,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* If we are using native Apple CA validation, it is okay
* for a CA cert to fail validation here, as we will verify
* the entire chain when we hit the peer (leaf) cert */
if (ssl->ctx->doAppleNativeCertValidationFlag) {
if ((ssl->ctx->doAppleNativeCertValidationFlag)
&& (ret == ASN_NO_SIGNER_E)) {
WOLFSSL_MSG("Bypassing errors to allow for Apple native"
" CA validation");
ret = 0; /* clear errors and continue */