From f5dd8fb0d86bd56d637f6a1921591044a5ef2a03 Mon Sep 17 00:00:00 2001 From: Carl Hetherington Date: Wed, 26 Jun 2019 15:54:09 +0100 Subject: Reject certificate chains where the adjacent certificates have the same subject. This is a backport of 31f31800705880da6ec185f9b31c7e125ae18c38 from master. --- src/certificate_chain.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc index 61414436..0d99d1c9 100644 --- a/src/certificate_chain.cc +++ b/src/certificate_chain.cc @@ -464,10 +464,11 @@ CertificateChain::chain_valid (List const & chain) const return false; } - /* I don't know why OpenSSL doesn't check this in verify_cert, but without this check - the certificates_validation8 test fails. + /* I don't know why OpenSSL doesn't check this stuff + in verify_cert, but without these checks the + certificates_validation8 test fails. */ - if (j->issuer() != i->subject()) { + if (j->issuer() != i->subject() || j->subject() == i->subject()) { X509_STORE_free (store); return false; } -- cgit v1.2.3