2 files changed, 6 insertions, 2 deletions

diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 081b374396..6480b45bec 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.21 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.22 2021/01/05 17:14:46 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -408,6 +408,8 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk)
                         SSLerror(s, ERR_R_X509_LIB);
                         goto err;
                 }
+                X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx),
+                    X509_V_FLAG_LEGACY_VERIFY);
                 X509_verify_cert(xs_ctx);
                 ERR_clear_error();
                 chain = xs_ctx->chain;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 1c8644ab27..549383e331 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.64 2020/12/14 15:26:36 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.65 2021/01/05 17:14:46 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -639,6 +639,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
                         goto err;
                 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))
                         goto err;
+                X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc),
+                    X509_V_FLAG_LEGACY_VERIFY);
                 X509_verify_cert(xsc);
                 ERR_clear_error();
                 chain = xsc->chain;