1 files changed, 34 insertions, 0 deletions
diff --git a/patches/libcrypto_1.diff b/patches/libcrypto_1.diff
new file mode 100644
index 0000000..ba5387a
--- /dev/null
+++ b/patches/libcrypto_1.diff
@@ -0,0 +1,34 @@
+commit 43e306df17537f5033b9b61d33f555d19d1bec9d
+Author: jsing <>
+Date:   Thu Sep 30 18:23:46 2021 +0000
+    Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
+    
+    In order to work around the expired DST Root CA X3 certficiate, enable
+    X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
+    default chain provided by Let's Encrypt will stop at the ISRG Root X1
+    intermediate, rather than following the DST Root CA X3 intermediate.
+    
+    Note that the new verifier does not suffer from this issue, so only a
+    small number of things will hit this code path.
+    
+    ok millert@ robert@ tb@
+diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
+index aaf0a57dcb..42ea6e72c9 100644
+--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: x509_vpm.c,v 1.26 2021/04/24 18:10:12 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */
+ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+  * project 2004.
+  */
+@@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
+ static const X509_VERIFY_PARAM default_table[] = {
+        {
+                .name = "default",
+               .flags = X509_V_FLAG_TRUSTED_FIRST,
+                .depth = 100,
+                .trust = 0,  /* XXX This is not the default trust value */
+                .id = vpm_empty_id

diff --git a/patches/libcrypto_1.diff b/patches/libcrypto_1.diff new file mode 100644 index 0000000..ba5387a --- /dev/null +++ b/patches/libcrypto_1.diff
@@ -0,0 +1,34 @@
	1	commit 43e306df17537f5033b9b61d33f555d19d1bec9d
	2	Author: jsing <>
	3	Date: Thu Sep 30 18:23:46 2021 +0000
	4
	5	Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
	6
	7	In order to work around the expired DST Root CA X3 certficiate, enable
	8	X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
	9	default chain provided by Let's Encrypt will stop at the ISRG Root X1
	10	intermediate, rather than following the DST Root CA X3 intermediate.
	11
	12	Note that the new verifier does not suffer from this issue, so only a
	13	small number of things will hit this code path.
	14
	15	ok millert@ robert@ tb@
	16
	17	diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
	18	index aaf0a57dcb..42ea6e72c9 100644
	19	--- a/src/lib/libcrypto/x509/x509_vpm.c
	20	+++ b/src/lib/libcrypto/x509/x509_vpm.c
	21	@@ -1,4 +1,4 @@
	22	-/* $OpenBSD: x509_vpm.c,v 1.26 2021/04/24 18:10:12 tb Exp $ */
	23	+/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */
	24	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
	25	* project 2004.
	26	*/
	27	@@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
	28	static const X509_VERIFY_PARAM default_table[] = {
	29	{
	30	.name = "default",
	31	+ .flags = X509_V_FLAG_TRUSTED_FIRST,
	32	.depth = 100,
	33	.trust = 0, /* XXX This is not the default trust value */
	34	.id = vpm_empty_id