diff -Nru openssl-1.0.2g/debian/changelog openssl-1.0.2g/debian/changelog --- openssl-1.0.2g/debian/changelog 2021-02-17 14:17:36.000000000 +0000 +++ openssl-1.0.2g/debian/changelog 2021-06-28 14:05:36.000000000 +0100 @@ -1,3 +1,11 @@ +openssl (1.0.2g-1ubuntu4.20) xenial-security; urgency=medium + + * Enable X509_V_FLAG_TRUSTED_FIRST by default, such that letsencrypt + connection with the default chain remains trusted even after the + expiry of the redundand CA certificate. LP: #1928989 + + -- Dimitri John Ledkov Mon, 28 Jun 2021 14:05:36 +0100 + openssl (1.0.2g-1ubuntu4.19) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate diff -Nru openssl-1.0.2g/debian/patches/series openssl-1.0.2g/debian/patches/series --- openssl-1.0.2g/debian/patches/series 2021-02-17 14:14:23.000000000 +0000 +++ openssl-1.0.2g/debian/patches/series 2021-06-28 14:05:36.000000000 +0100 @@ -80,3 +80,4 @@ CVE-2021-23840-pre2.patch CVE-2021-23840.patch CVE-2021-23841.patch +trusted-first-by-default.patch diff -Nru openssl-1.0.2g/debian/patches/trusted-first-by-default.patch openssl-1.0.2g/debian/patches/trusted-first-by-default.patch --- openssl-1.0.2g/debian/patches/trusted-first-by-default.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.2g/debian/patches/trusted-first-by-default.patch 2021-06-28 14:05:36.000000000 +0100 @@ -0,0 +1,19 @@ +Description: Enable X509_V_FLAG_TRUSTED_FIRST by default + This is to ensure that letsencrypt connection with the default chain + remains trusted even after the expiry of the redundand CA + certificate. +Author: Dimitri John Ledkov +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1928989 + + +--- openssl-1.0.2g.orig/crypto/x509/x509_vpm.c ++++ openssl-1.0.2g/crypto/x509/x509_vpm.c +@@ -537,7 +537,7 @@ static const X509_VERIFY_PARAM default_t + "default", /* X509 default parameters */ + 0, /* Check time */ + 0, /* internal flags */ +- 0, /* flags */ ++ X509_V_FLAG_TRUSTED_FIRST, /* flags */ + 0, /* purpose */ + 0, /* trust */ + 100, /* depth */