ea0ea7155718c9acacc21f07b2d8cd247a2e9707
galt
  Tue Oct 12 17:21:06 2021 -0700
Add trust_first flag to https.c for verify makes openssl 1.0 compatible with LetsEncrypt flags. fixes #28332

diff --git src/lib/https.c src/lib/https.c
index 0be0daa..c23254f 100644
--- src/lib/https.c
+++ src/lib/https.c
@@ -101,49 +101,41 @@
 
 BIO *fbio=NULL;  // file descriptor bio
 BIO *sbio=NULL;  // ssl bio
 SSL_CTX *ctx;
 SSL *ssl;
 
 openSslInit();
 
 ctx = SSL_CTX_new(SSLv23_client_method());
 
 fd_set readfds;
 fd_set writefds;
 int err;
 struct timeval tv;
 
+// Set TRUSTED_FIRST for openssl 1.0
+// Fixes common issue openssl 1.0 had with with LetsEncrypt certs in the Fall of 2021.
+X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_TRUSTED_FIRST);
 
-/* TODO checking certificates 
-
-char *certFile = NULL;
-char *certPath = NULL;
-if (certFile || certPath)
+// verify peer cert of the server.
+SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+if (!SSL_CTX_set_default_verify_paths(ctx)) 
     {
-    SSL_CTX_load_verify_locations(ctx,certFile,certPath);
-#if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
-    SSL_CTX_set_verify_depth(ctx,1);
-#endif
+    xerr("SSL set default verify paths failed");
     }
 
-// verify paths and mode.
-
-*/
-
-
-
 // Don't want any retries since we are non-blocking bio now
 // This is available on newer versions of openssl
 //SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
 
 // Support for Http Proxy
 struct netParsedUrl pxy;
 if (proxyUrl)
     {
     netParseUrl(proxyUrl, &pxy);
     if (!sameString(pxy.protocol, "http"))
 	{
 	char s[256];	
 	safef(s, sizeof s, "Unknown proxy protocol %s in %s. Should be http.", pxy.protocol, proxyUrl);
 	xerr(s);
 	goto cleanup;
@@ -269,38 +261,30 @@
 	{
 	xerr("select() error");
 	goto cleanup;
 	}
 
     if (err == 0) 
 	{
 	char s[256];	
 	safef(s, sizeof s, "connection timeout to %s", params->hostName);
 	xerr(s);
 	goto cleanup;
 	}
     }
 
 
-/* TODO checking certificates 
-
-if (certFile || certPath)
-    if (!check_cert(ssl, host))
-	return -1;
-
-*/
-
 /* we need to wait on both the user's socket and the BIO SSL socket 
  * to see if we need to ferry data from one to the other */
 
 
 char sbuf[32768];  // socket buffer sv[1] to user
 char bbuf[32768];  // bio buffer
 int srd = 0;
 int swt = 0;
 int brd = 0;
 int bwt = 0;
 while (1) 
     {
 
     // Do NOT move this outside the while loop. 
     /* Get underlying file descriptor, needed for select call */