From 074b7af7efb6614b4fa911d044d19b6da54e47d1 Mon Sep 17 00:00:00 2001
From: Jeremy Apthorp <nornagon@nornagon.net>
Date: Fri, 3 Aug 2018 10:56:51 -0700
Subject: [PATCH] crypto: enable auto cert chaining for BoringSSL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenSSL enables this feature by default, but BoringSSL doesn't. This
change makes it so that when building node with BoringSSL, the
behaviour matches OpenSSL's.

PR-URL: https://github.com/nodejs/node/pull/22110
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
---
 src/node_crypto.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 1b246509baf473..49eabe2ec46704 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -463,6 +463,11 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv2);
   SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_NO_SSLv3);
 
+  // Enable automatic cert chaining. This is enabled by default in OpenSSL, but
+  // disabled by default in BoringSSL. Enable it explicitly to make the
+  // behavior match when Node is built with BoringSSL.
+  SSL_CTX_clear_mode(sc->ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
+
   // SSL session cache configuration
   SSL_CTX_set_session_cache_mode(sc->ctx_.get(),
                                  SSL_SESS_CACHE_SERVER |