RED-48113: Set a default of partial chain verification (#4)

RedisLabs · Nov 11, 2020 · 6e14801 · 6e14801
1 parent 8fb3cb8
commit 6e14801
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/extensions/transport_sockets/tls/context_impl.cc
@@ -186,6 +186,11 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
       if (has_crl) {
         X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
       }
+
+      // RED-48113: Set a default of partial chain verification
+      ENVOY_LOG_MISC(info, "Applying X509_V_FLAG_PARTIAL_CHAIN on TLS contexts");
+      X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
+
       verify_mode = SSL_VERIFY_PEER;
       verify_trusted_ca_ = true;