diff options
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/_ssl.c | 9 |
2 files changed, 12 insertions, 0 deletions
@@ -13,6 +13,9 @@ Core and Builtins Library ------- +- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST + flag on certificate stores when it is available. + - Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the SSL layer but the underlying connection hasn't been closed. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index e7ba583..a5b94eb 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2063,6 +2063,15 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) sizeof(SID_CTX)); #undef SID_CTX +#ifdef X509_V_FLAG_TRUSTED_FIRST + { + /* Improve trust chain building when cross-signed intermediate + certificates are present. See https://bugs.python.org/issue23476. */ + X509_STORE *store = SSL_CTX_get_cert_store(self->ctx); + X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST); + } +#endif + return (PyObject *)self; } |