skip certificate which is not part of the chain

Fixes: 25606 Browsers and curl ignore extra irrelevant certificates in the chain. This fix skips certificate which is not part of the chain. Remaining certificates still form an unbroken chain of signatures with the last one trusted by root CA. Some other domain which also have extra certificates in the chain: - jhu.edu - last.fm - terra.com.br
2025-12-06 13:54:21 +00:00 · 2025-10-17 16:33:06 +02:00 · 2025-10-17 16:33:06 +02:00 · 91e04a24af
commit 91e04a24af
parent 2ab0ca13bb
1 changed files with 8 additions and 1 deletions
--- a/lib/std/crypto/tls/Client.zig
+++ b/lib/std/crypto/tls/Client.zig
@ -637,7 +637,14 @@ pub fn init(input: *Reader, output: *Writer, options: Options) InitError!Client
                                // certificate_verify message later.
                                try main_cert_pub_key.init(subject.pub_key_algo, subject.pubKey());
                            } else {
-                                try prev_cert.verify(subject, now_sec);
+                                prev_cert.verify(subject, now_sec) catch |err| switch (err) {
+                                    error.CertificateIssuerMismatch => {
+                                        // Skip certificate which is not part of the chain
+                                        cert_index += 1;
+                                        continue;
+                                    },
+                                    else => |e| return e,
+                                };
                            }

                            switch (options.ca) {