diff options
author | Petr Štetiar <ynezz@true.cz> | 2022-02-22 20:00:28 +0100 |
---|---|---|
committer | Petr Štetiar <ynezz@true.cz> | 2022-02-22 20:29:39 +0100 |
commit | b99d7aecc83fd180f7a3c3efaae00845e7a73129 (patch) | |
tree | 1fa6e81c0aa49a01a877a0f854c897f486fce67f | |
parent | 7612ecb201eebd0b273aa9225539fd45d538a1db (diff) | |
download | upstream-b99d7aecc83fd180f7a3c3efaae00845e7a73129.tar.gz upstream-b99d7aecc83fd180f7a3c3efaae00845e7a73129.tar.bz2 upstream-b99d7aecc83fd180f7a3c3efaae00845e7a73129.zip |
wolfssl: fix API breakage of SSL_get_verify_result
Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:
$ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
Downloading 'https://letsencrypt.org'
Connecting to 18.159.128.50:443
Connection error: Invalid SSL certificate
Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b9251e3b407592f3114e739231088c3d27663c4c)
-rw-r--r-- | package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch b/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch new file mode 100644 index 0000000000..9651c03af6 --- /dev/null +++ b/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Juliusz Sosinowicz <juliusz@wolfssl.com> +Date: Sat, 12 Feb 2022 00:34:24 +0100 +Subject: [PATCH] Reported in ZD13631 + +`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain + +References: https://github.com/wolfSSL/wolfssl/issues/4879 +--- + src/internal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/internal.c b/src/internal.c +index 0dded42a76c4..f5814d30607c 100644 +--- a/src/internal.c ++++ b/src/internal.c +@@ -12372,6 +12372,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, + } + + ret = 0; /* clear errors and continue */ ++ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ++ ssl->peerVerifyRet = 0; ++ #endif + args->verifyErr = 0; + } + |