-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SSL] Add ability to set verification flags #2490
[SSL] Add ability to set verification flags #2490
Conversation
b32249b
to
e46db09
Compare
Not that familiar with these flags, or how and when they may be set. In
to something like:
|
e46db09
to
40a6efa
Compare
Thanks @MSP-Greg! I changed it to |
Well, I found out what one can't do with git... I rebased this, adjusted dsl.rb, then hit a compile issue, fixed that, then decided that, rather than repeating I don't know what you think, but the patch is at: https://github.com/MSP-Greg/puma/commit/4d063d982c5.patch If you rebase, then replace the PR commit with the above, it should be good to merge, and CI did pass... |
Any number of verification flags supported by OpenSSL can be set ( https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_hostflags.html#VERIFICATION-FLAGS
40a6efa
to
555e4a8
Compare
I rebased this. I also updated README and History files. I hope all is good now. |
Thank you. Sorry for the trouble, the changes I made to DSL got merged first, so this got messy. The DSL changes allow access to the ssl bind string, which makes CI a bit easier... |
Any number of verification flags supported by OpenSSL can be set ( https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_hostflags.html#VERIFICATION-FLAGS
Description
Add ability to set OpenSSL verification flags (https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_hostflags.html#VERIFICATION-FLAGS).
We had a need to set
X509_V_FLAG_PARTIAL_CHAIN
flag. Most major TLS libraries behaves like this by default but not OpenSSL (openssl/openssl#7871). Adding ability to set any verification flag allows us to setX509_V_FLAG_PARTIAL_CHAIN
flag. I think it may be useful for others too.I implemented this for MRI only as I don't know how to do this for JRuby (and if this is even required?).
Your checklist for this pull request
[changelog skip]
or[ci skip]
to the pull request title.[ci skip]
to the title of the PR.#issue
" to the PR description or my commit messages.