Only check top-level certificate against fingerprint list.

This allows "chain" certificates to be used with the fingerprint whitelist option. A user can get a system-ca signature as backup while clients explicitly whitelist the server certificate. The user specified CA can also be combined with fingerprint whitelisting.
2024-11-10 13:13:27 +01:00 · 2019-04-04 01:48:55 -04:00 · 2019-04-04 01:48:55 -04:00 · 97cd1fa98d
commit 97cd1fa98d
parent 7c388fb358
1 changed files with 4 additions and 2 deletions
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@ -285,8 +285,10 @@ bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
      MERROR("Error getting verify_context handle");
      return false;
    }
-    X509 *cert =X509_STORE_CTX_get_current_cert(sctx);
-    if (!cert)
+
+    X509* cert = nullptr;
+    const STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(sctx);
+    if (!chain || sk_X509_num(chain) < 1 || !(cert = sk_X509_value(chain, 0)))
    {
      MERROR("No certificate found in verify_context");
      return false;