From 2745b30bd1ffd6bcfb4c1e2dc6da6ac0dc9ba08c Mon Sep 17 00:00:00 2001
From: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Date: Thu, 8 Jan 2015 11:22:11 +0900
Subject: [PATCH] crypto: trusted store first for cross root cert

Fix #8894
---
 src/node_crypto.cc | 4 +++-
 src/node_crypto.h  | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 7a3922a797f8..53386f87b42a 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -311,6 +311,8 @@ Handle<Value> SecureContext::Init(const Arguments& args) {
   SSL_CTX_sess_set_get_cb(sc->ctx_, GetSessionCallback);
   SSL_CTX_sess_set_new_cb(sc->ctx_, NewSessionCallback);
 
+  X509_VERIFY_PARAM_set_flags(sc->param_, X509_V_FLAG_TRUSTED_FIRST);
+  SSL_CTX_set1_param(sc->ctx_, sc->param_);
   sc->ca_store_ = NULL;
   return True();
 }
@@ -802,7 +804,7 @@ size_t ClientHelloParser::Write(const uint8_t* data, size_t len) {
   HandleScope scope;
 
   assert(state_ != kEnded);
-  
+
   // Just accumulate data, everything will be pushed to BIO later
   if (state_ == kPaused) return 0;
 
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 54b9b88e437a..9ae8a173f02d 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -62,6 +62,7 @@ class SecureContext : ObjectWrap {
   SSL_CTX *ctx_;
   // TODO: ca_store_ should probably be removed, it's not used anywhere.
   X509_STORE *ca_store_;
+  X509_VERIFY_PARAM *param_;
 
  protected:
   static const int kMaxSessionSize = 10 * 1024;
@@ -88,6 +89,7 @@ class SecureContext : ObjectWrap {
   SecureContext() : ObjectWrap() {
     ctx_ = NULL;
     ca_store_ = NULL;
+    param_ = X509_VERIFY_PARAM_new();
   }
 
   void FreeCTXMem() {
@@ -102,6 +104,7 @@ class SecureContext : ObjectWrap {
       SSL_CTX_free(ctx_);
       ctx_ = NULL;
       ca_store_ = NULL;
+      X509_VERIFY_PARAM_free(param_);
     } else {
       assert(ca_store_ == NULL);
     }