diff --git a/SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch b/SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
new file mode 100644
index 0000000..5b7044c
--- /dev/null
+++ b/SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
@@ -0,0 +1,291 @@
+From 673adb0a7a21ca3a877ee03dc9e197d5be15a9d3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 2 Dec 2019 10:45:55 +0100
+Subject: [PATCH 1/3] openssl: set X509_V_FLAG_PARTIAL_CHAIN
+
+Have intermediate certificates in the trust store be treated as
+trust-anchors, in the same way as self-signed root CA certificates
+are. This allows users to verify servers using the intermediate cert
+only, instead of needing the whole chain.
+
+Other TLS backends already accept partial chains.
+
+Reported-by: Jeffrey Walton
+Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
+
+Upstream-commit: 94f1f771586913addf5c68f9219e176036c50115
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index d8bcc4f..8e791b9 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2551,19 +2551,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ infof(data, " CRLfile: %s\n", ssl_crlfile);
+ }
+
+- /* Try building a chain using issuers in the trusted store first to avoid
+- problems with server-sent legacy intermediates.
+- Newer versions of OpenSSL do alternate chain checking by default which
+- gives us the same fix without as much of a performance hit (slight), so we
+- prefer that if available.
+- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+- */
+-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
+ if(verifypeer) {
++ /* Try building a chain using issuers in the trusted store first to avoid
++ problems with server-sent legacy intermediates. Newer versions of
++ OpenSSL do alternate chain checking by default which gives us the same
++ fix without as much of a performance hit (slight), so we prefer that if
++ available.
++ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
++ */
++#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+ X509_V_FLAG_TRUSTED_FIRST);
+- }
+ #endif
++#ifdef X509_V_FLAG_PARTIAL_CHAIN
++ /* Have intermediate certificates in the trust store be treated as
++ trust-anchors, in the same way as self-signed root CA certificates
++ are. This allows users to verify servers using the intermediate cert
++ only, instead of needing the whole chain. */
++ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
++ X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++ }
+
+ /* SSL always tries to verify the peer, this only says whether it should
+ * fail to connect if the verification fails, or if it should continue
+--
+2.26.2
+
+
+From b2e6e39b60e1722aecf250ff79a69867df5d3aa8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 2 Dec 2019 10:55:33 +0100
+Subject: [PATCH 2/3] openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial
+ cert chains
+
+Closes #4655
+
+Upstream-commit: 564d88a8bd190a21b362d6da535fccf74d33394d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 | 40 +++++++++++++------------
+ docs/libcurl/symbols-in-versions | 1 +
+ include/curl/curl.h | 4 +++
+ lib/setopt.c | 1 +
+ lib/urldata.h | 1 +
+ lib/vtls/openssl.c | 14 +++++----
+ 6 files changed, 36 insertions(+), 25 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
+index d781434..6286a64 100644
+--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
++++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
+@@ -29,25 +29,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
+
+ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
+ .SH DESCRIPTION
+-Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
+-
+-\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any
+-workarounds for a security flaw in the SSL3 and TLS1.0 protocols. If this
+-option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a
+-work-around for this flaw although it might cause interoperability problems
+-with some (older) SSL implementations. WARNING: avoiding this work-around
+-lessens the security, and by setting this option to 1 you ask for exactly that.
+-This option is only supported for DarwinSSL, NSS and OpenSSL.
+-
+-Added in 7.44.0:
+-
+-\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
+-checks for those SSL backends where such behavior is present. \fBCurrently this
+-option is only supported for WinSSL (the native Windows SSL library), with an
+-exception in the case of Windows' Untrusted Publishers blacklist which it seems
+-can't be bypassed.\fP This option may have broader support to accommodate other
+-SSL backends in the future.
+-https://curl.haxx.se/docs/ssl-compared.html
++Pass a long with a bitmask to tell libcurl about specific SSL
++behaviors. Available bits:
++.IP CURLSSLOPT_ALLOW_BEAST
++Tells libcurl to not attempt to use any workarounds for a security flaw in the
++SSL3 and TLS1.0 protocols. If this option isn't used or this bit is set to 0,
++the SSL layer libcurl uses may use a work-around for this flaw although it
++might cause interoperability problems with some (older) SSL
++implementations. WARNING: avoiding this work-around lessens the security, and
++by setting this option to 1 you ask for exactly that. This option is only
++supported for DarwinSSL, NSS and OpenSSL.
++.IP CURLSSLOPT_NO_REVOKE
++Tells libcurl to disable certificate revocation checks for those SSL backends
++where such behavior is present. This option is only supported for Schannel
++(the native Windows SSL library), with an exception in the case of Windows'
++Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
++7.44.0)
++.IP CURLSSLOPT_NO_PARTIALCHAIN
++Tells libcurl to not accept "partial" certificate chains, which it otherwise
++does by default. This option is only supported for OpenSSL and will fail the
++certificate verification if the chain ends with an intermediate certificate
++and not with a root cert. (Added in 7.68.0)
+ .SH DEFAULT
+ 0
+ .SH PROTOCOLS
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index 3b3861f..54923d0 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -713,6 +713,7 @@ CURLSSLBACKEND_QSOSSL 7.34.0 - 7.38.1
+ CURLSSLBACKEND_SCHANNEL 7.34.0
+ CURLSSLBACKEND_WOLFSSL 7.49.0
+ CURLSSLOPT_ALLOW_BEAST 7.25.0
++CURLSSLOPT_NO_PARTIALCHAIN 7.68.0
+ CURLSSLOPT_NO_REVOKE 7.44.0
+ CURLSSLSET_NO_BACKENDS 7.56.0
+ CURLSSLSET_OK 7.56.0
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index 8f473e2..75f9384 100644
+--- a/include/curl/curl.h
++++ b/include/curl/curl.h
+@@ -795,6 +795,10 @@ typedef enum {
+ SSL backends where such behavior is present. */
+ #define CURLSSLOPT_NO_REVOKE (1<<1)
+
++/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
++ if possible. The OpenSSL backend has this ability. */
++#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
++
+ /* The default connection attempt delay in milliseconds for happy eyeballs.
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
+ this value, keep them in sync. */
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 5c5f4b3..4f04962 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2046,6 +2046,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+ arg = va_arg(param, long);
+ data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
+ data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
++ data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+ break;
+
+ case CURLOPT_PROXY_SSL_OPTIONS:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 4b70cc5..c70290a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -235,6 +235,7 @@ struct ssl_config_data {
+ bool enable_beast; /* especially allow this flaw for interoperability's
+ sake*/
+ bool no_revoke; /* disable SSL certificate revocation checks */
++ bool no_partialchain; /* don't accept partial certificate chains */
+ long certverifyresult; /* result from the certificate verification */
+ char *CRLfile; /* CRL to check certificate revocation */
+ char *issuercert;/* optional issuer certificate filename */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 8e791b9..87f6c4c 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2564,12 +2564,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ X509_V_FLAG_TRUSTED_FIRST);
+ #endif
+ #ifdef X509_V_FLAG_PARTIAL_CHAIN
+- /* Have intermediate certificates in the trust store be treated as
+- trust-anchors, in the same way as self-signed root CA certificates
+- are. This allows users to verify servers using the intermediate cert
+- only, instead of needing the whole chain. */
+- X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+- X509_V_FLAG_PARTIAL_CHAIN);
++ if(!SSL_SET_OPTION(no_partialchain)) {
++ /* Have intermediate certificates in the trust store be treated as
++ trust-anchors, in the same way as self-signed root CA certificates
++ are. This allows users to verify servers using the intermediate cert
++ only, instead of needing the whole chain. */
++ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
++ X509_V_FLAG_PARTIAL_CHAIN);
++ }
+ #endif
+ }
+
+--
+2.26.2
+
+
+From d149ba12f302e5275b408d82ffb349eac16b9226 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 May 2020 23:00:31 +0200
+Subject: [PATCH 3/3] OpenSSL: have CURLOPT_CRLFILE imply
+ CURLSSLOPT_NO_PARTIALCHAIN
+
+... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
+
+Reported-by: Michael Kaufmann
+Fixes #5374
+Closes #5376
+
+Upstream-commit: 81a54b12c631e8126e3eb484c74040b991e78f0c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_CRLFILE.3 | 13 ++++++++-----
+ lib/vtls/openssl.c | 8 ++++++--
+ 2 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLOPT_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_CRLFILE.3
+index 080caa7..f111585 100644
+--- a/docs/libcurl/opts/CURLOPT_CRLFILE.3
++++ b/docs/libcurl/opts/CURLOPT_CRLFILE.3
+@@ -5,7 +5,7 @@
+ .\" * | (__| |_| | _ <| |___
+ .\" * \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -34,10 +34,13 @@ concatenation of CRL (in PEM format) to use in the certificate validation that
+ occurs during the SSL exchange.
+
+ When curl is built to use NSS or GnuTLS, there is no way to influence the use
+-of CRL passed to help in the verification process. When libcurl is built with
+-OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both
+-set, requiring CRL check against all the elements of the certificate chain if
+-a CRL file is passed.
++of CRL passed to help in the verification process.
++
++When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
++X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
++elements of the certificate chain if a CRL file is passed. Also note that
++\fICURLOPT_CRLFILE(3)\fP will imply \fBCURLSSLOPT_NO_PARTIALCHAIN\fP (see
++\fICURLOPT_SSL_OPTIONS(3)\fP) since curl 7.71.0 due to an OpenSSL bug.
+
+ This option makes sense only when used in combination with the
+ \fICURLOPT_SSL_VERIFYPEER(3)\fP option.
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 87f6c4c..9476773 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2564,11 +2564,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ X509_V_FLAG_TRUSTED_FIRST);
+ #endif
+ #ifdef X509_V_FLAG_PARTIAL_CHAIN
+- if(!SSL_SET_OPTION(no_partialchain)) {
++ if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
+ /* Have intermediate certificates in the trust store be treated as
+ trust-anchors, in the same way as self-signed root CA certificates
+ are. This allows users to verify servers using the intermediate cert
+- only, instead of needing the whole chain. */
++ only, instead of needing the whole chain.
++
++ Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
++ cannot do partial chains with CRL check.
++ */
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+ X509_V_FLAG_PARTIAL_CHAIN);
+ }
+--
+2.26.2
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index d32e5ed..68679a7 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.61.1
-Release: 16%{?dist}
+Release: 17%{?dist}
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@@ -64,6 +64,9 @@ Patch22: 0022-curl-7.61.1-CVE-2020-8231.patch
# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
Patch23: 0023-curl-7.61.1-no-https-proxy-crash.patch
+# validate an ssl connection using an intermediate certificate (#1895355)
+Patch24: 0024-curl-7.61.1-openssl-partial-chain.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -250,6 +253,7 @@ git apply %{PATCH4}
%patch21 -p1
%patch22 -p1
%patch23 -p1
+%patch24 -p1
# make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -410,6 +414,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
+* Thu Nov 12 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-17
+- validate an ssl connection using an intermediate certificate (#1895355)
+
* Fri Nov 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-16
- fix multiarch conflicts in libcurl-minimal (#1895391)