incorporate diffs from 3.4.1 not tagged in upstream stable.v3.4.2

1 files changed, 34 insertions, 0 deletions

diff --git a/patches/libcrypto_1.diff b/patches/libcrypto_1.diff
new file mode 100644
index 0000000..ba5387a
--- /dev/null
+++ b/patches/libcrypto_1.diff
@@ -0,0 +1,34 @@
+commit 43e306df17537f5033b9b61d33f555d19d1bec9d
+Author: jsing <>
+Date:   Thu Sep 30 18:23:46 2021 +0000
+
+    Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
+    
+    In order to work around the expired DST Root CA X3 certficiate, enable
+    X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
+    default chain provided by Let's Encrypt will stop at the ISRG Root X1
+    intermediate, rather than following the DST Root CA X3 intermediate.
+    
+    Note that the new verifier does not suffer from this issue, so only a
+    small number of things will hit this code path.
+    
+    ok millert@ robert@ tb@
+
+diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
+index aaf0a57dcb..42ea6e72c9 100644
+--- a/src/lib/libcrypto/x509/x509_vpm.c
++++ b/src/lib/libcrypto/x509/x509_vpm.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: x509_vpm.c,v 1.26 2021/04/24 18:10:12 tb Exp $ */
++/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */
+ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+  * project 2004.
+  */
+@@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
+ static const X509_VERIFY_PARAM default_table[] = {
+        {
+                .name = "default",
++               .flags = X509_V_FLAG_TRUSTED_FIRST,
+                .depth = 100,
+                .trust = 0,  /* XXX This is not the default trust value */
+                .id = vpm_empty_id