enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)

2025-07-19 09:15:34 +00:00 · 2015-03-04 22:11:12 -05:00 · 2015-03-04 22:11:12 -05:00 · fdb1971587
commit fdb1971587
parent 20f4bd4a04
2 changed files with 12 additions and 0 deletions
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -2063,6 +2063,15 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
                                   sizeof(SID_CTX));
 #undef SID_CTX

+#ifdef X509_V_FLAG_TRUSTED_FIRST
+    {
+        /* Improve trust chain building when cross-signed intermediate
+           certificates are present. See https://bugs.python.org/issue23476. */
+        X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
+        X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
+    }
+#endif
+
    return (PyObject *)self;
 }