Fix for LetsEncrypt root expiry (#352)

Every LetsEncrypt issued signature chain now starts with an expired certificate, but the second item in the chain is a trusted root. So instead of failing the whole validation for any link in the chain failing, just don't add failed links to the store, then make sure the final certificate is valid given whatever *was* added to the store.
igrigorik · Apr 29, 2024 · 9ad352c · 9ad352c
1 parent a94d6ed
commit 9ad352c
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/lib/em-http/http_connection.rb b/lib/em-http/http_connection.rb
@@ -55,10 +55,9 @@ def ssl_verify_peer(cert_string)
         rescue OpenSSL::X509::StoreError => e
           raise e unless e.message == 'cert already in hash table'
         end
-        true
-      else
-        raise OpenSSL::SSL::SSLError.new(%(unable to verify the server certificate for "#{host}"))
       end
+
+      true
     end
 
     def ssl_handshake_completed
@@ -68,7 +67,8 @@ def ssl_handshake_completed
         return true
       end
 
-      unless OpenSSL::SSL.verify_certificate_identity(@last_seen_cert, host)
+      unless certificate_store.verify(@last_seen_cert) &&
+             OpenSSL::SSL.verify_certificate_identity(@last_seen_cert, host)
         raise OpenSSL::SSL::SSLError.new(%(host "#{host}" does not match the server certificate))
       else
         true