$OpenBSD: patch-socket_c,v 1.14 2021/07/29 10:44:07 sthen Exp $

Index: socket.c
--- socket.c.orig
+++ socket.c
@@ -1150,6 +1150,10 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
 	/* Check which trusted X.509 CA certificate store(s) to load */
 	{
 		char *tmp;
+#if defined(X509_V_FLAG_LEGACY_VERIFY)
+		X509_VERIFY_PARAM *param;
+		int flags;
+#endif
 		int want_default_cacerts = 0;
 
 		/* Load user locations if any is given */
@@ -1163,6 +1167,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
 		if (want_default_cacerts || (tmp && tmp[0])) {
 			SSL_CTX_set_default_verify_paths(_ctx[sock]);
 		}
+#if defined(X509_V_FLAG_LEGACY_VERIFY)
+		if ((param = SSL_CTX_get0_param(_ctx[sock])) != NULL) {
+			flags = X509_VERIFY_PARAM_get_flags(param);
+			flags |= X509_V_FLAG_LEGACY_VERIFY;
+			X509_VERIFY_PARAM_set_flags(param, flags);
+		}
+#endif
 	}
 	
 	_ssl_context[sock] = SSL_new(_ctx[sock]);
