RED-48113: Set a default of partial chain verification

RedisLabs · Oct 22, 2020 · 80b7c9c · 80b7c9c
1 parent 50ef094
commit 80b7c9c
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/extensions/transport_sockets/tls/context_impl.cc
@@ -175,6 +175,11 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
       if (has_crl) {
         X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
       }
+
+      // RED-48113: Set a default of partial chain verification
+      ENVOY_LOG_MISC(info, "Applying X509_V_FLAG_PARTIAL_CHAIN on TLS contexts");
+      X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
+
       verify_mode = SSL_VERIFY_PEER;
       verify_trusted_ca_ = true;