[Python-checkins] cpython (3.4): enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)
benjamin.peterson
python-checkins at python.org
Thu Mar 5 04:11:53 CET 2015
https://hg.python.org/cpython/rev/7f64437a707f
changeset: 94855:7f64437a707f
branch: 3.4
parent: 94852:77a978716517
user: Benjamin Peterson <benjamin at python.org>
date: Wed Mar 04 22:11:12 2015 -0500
summary:
enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)
files:
Misc/NEWS | 3 +++
Modules/_ssl.c | 9 +++++++++
2 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@
Library
-------
+- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST
+ flag on certificate stores when it is available.
+
- Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the
SSL layer but the underlying connection hasn't been closed.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2063,6 +2063,15 @@
sizeof(SID_CTX));
#undef SID_CTX
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+ {
+ /* Improve trust chain building when cross-signed intermediate
+ certificates are present. See https://bugs.python.org/issue23476. */
+ X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+ X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+ }
+#endif
+
return (PyObject *)self;
}
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list