1 files changed, 34 insertions, 0 deletions

diff --git a/runtime-openssl-sha1.patch b/runtime-openssl-sha1.patch
new file mode 100644
index 0000000..6e307ef
--- /dev/null
+++ b/runtime-openssl-sha1.patch
@@ -0,0 +1,34 @@
+From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001
+From: Tom Deseyn <tom.deseyn@gmail.com>
+Date: Wed, 28 Feb 2024 14:08:15 +0100
+Subject: [PATCH] Allow certificate validation with SHA-1 signatures.
+
+RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate
+validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag
+with a chain where the last certificate uses a SHA-1 signature.
+
+This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default
+OpenSSL behavior for certificate validation.
+---
+ .../libs/System.Security.Cryptography.Native/pal_x509.c      | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+index 04c6ba06cd..2cd3413dae 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
+ 
+     int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
+ 
+-    if (val != 0)
+-    {
+-        X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
+-    }
+-
+     return val;
+ }
+ 
+-- 
+2.43.2
+