From 074b7af7efb6614b4fa911d044d19b6da54e47d1 Mon Sep 17 00:00:00 2001 From: Jeremy Apthorp Date: Fri, 3 Aug 2018 10:56:51 -0700 Subject: [PATCH] crypto: enable auto cert chaining for BoringSSL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenSSL enables this feature by default, but BoringSSL doesn't. This change makes it so that when building node with BoringSSL, the behaviour matches OpenSSL's. PR-URL: https://github.com/nodejs/node/pull/22110 Reviewed-By: Tobias Nießen Reviewed-By: Ujjwal Sharma Reviewed-By: James M Snell Reviewed-By: Ben Noordhuis --- src/node_crypto.cc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 1b246509baf473..49eabe2ec46704 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -463,6 +463,11 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv2); SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv3); + // Enable automatic cert chaining. This is enabled by default in OpenSSL, but + // disabled by default in BoringSSL. Enable it explicitly to make the + // behavior match when Node is built with BoringSSL. + SSL_CTX_clear_mode(sc->ctx_.get(), SSL_MODE_NO_AUTO_CHAIN); + // SSL session cache configuration SSL_CTX_set_session_cache_mode(sc->ctx_.get(), SSL_SESS_CACHE_SERVER |