changeset:   94857:442e2c357979
parent:      94854:5f3dd0a2b1ab
parent:      94855:7f64437a707f
user:        Benjamin Peterson <benjamin@python.org>
date:        Wed Mar 04 22:11:48 2015 -0500
files:       Misc/NEWS Modules/_ssl.c
description:
merge 3.4 (#23476)


diff -r 5f3dd0a2b1ab -r 442e2c357979 Misc/NEWS
--- a/Misc/NEWS	Thu Mar 05 15:45:01 2015 +1300
+++ b/Misc/NEWS	Wed Mar 04 22:11:48 2015 -0500
@@ -13,6 +13,9 @@
 Library
 -------
 
+- Issue #23476: In the ssl module, enable OpenSSL's X509_V_FLAG_TRUSTED_FIRST
+  flag on certificate stores when it is available.
+
 - Issue #23576: Avoid stalling in SSL reads when EOF has been reached in the
   SSL layer but the underlying connection hasn't been closed.
 
diff -r 5f3dd0a2b1ab -r 442e2c357979 Modules/_ssl.c
--- a/Modules/_ssl.c	Thu Mar 05 15:45:01 2015 +1300
+++ b/Modules/_ssl.c	Wed Mar 04 22:11:48 2015 -0500
@@ -2199,6 +2199,15 @@
                                    sizeof(SID_CTX));
 #undef SID_CTX
 
+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    {
+        /* Improve trust chain building when cross-signed intermediate
+           certificates are present. See https://bugs.python.org/issue23476. */
+        X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+        X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+    }
+#endif
+
     return (PyObject *)self;
 }