crypto: trusted store first for cross root cert

Fix nodejs#8894
shigeki · Jan 8, 2015 · 2745b30 · 2745b30
1 parent 396141e
commit 2745b30
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -311,6 +311,8 @@ Handle<Value> SecureContext::Init(const Arguments& args) {
   SSL_CTX_sess_set_get_cb(sc->ctx_, GetSessionCallback);
   SSL_CTX_sess_set_new_cb(sc->ctx_, NewSessionCallback);
 
+  X509_VERIFY_PARAM_set_flags(sc->param_, X509_V_FLAG_TRUSTED_FIRST);
+  SSL_CTX_set1_param(sc->ctx_, sc->param_);
   sc->ca_store_ = NULL;
   return True();
 }
@@ -802,7 +804,7 @@ size_t ClientHelloParser::Write(const uint8_t* data, size_t len) {
   HandleScope scope;
 
   assert(state_ != kEnded);
-  
+
   // Just accumulate data, everything will be pushed to BIO later
   if (state_ == kPaused) return 0;
 

diff --git a/src/node_crypto.h b/src/node_crypto.h
@@ -62,6 +62,7 @@ class SecureContext : ObjectWrap {
   SSL_CTX *ctx_;
   // TODO: ca_store_ should probably be removed, it's not used anywhere.
   X509_STORE *ca_store_;
+  X509_VERIFY_PARAM *param_;
 
  protected:
   static const int kMaxSessionSize = 10 * 1024;
@@ -88,6 +89,7 @@ class SecureContext : ObjectWrap {
   SecureContext() : ObjectWrap() {
     ctx_ = NULL;
     ca_store_ = NULL;
+    param_ = X509_VERIFY_PARAM_new();
   }
 
   void FreeCTXMem() {
@@ -102,6 +104,7 @@ class SecureContext : ObjectWrap {
       SSL_CTX_free(ctx_);
       ctx_ = NULL;
       ca_store_ = NULL;
+      X509_VERIFY_PARAM_free(param_);
     } else {
       assert(ca_store_ == NULL);
     }