librb/src/openssl.c: certfp: ignore the error X509_V_ERR_INVALID_PURPOSE

aaronmdjones · aaronmdjones · commit da2c36dbef7d · 2025-05-26T17:02:29.000Z
LetsEncrypt are going to be removing the clientAuth EKU from all of their
issued certificates in February 2026.  Conformant TLS implementations that
verify a client certificate following PKIX guidelines will reject these
certificates.

Fortunately we have our own verification callback, as we do not participate
in the Web PKI.  Ignore the error code corresponding to an invalid key
usage.
diff --git a/librb/src/openssl.c b/librb/src/openssl.c
@@ -587,6 +587,7 @@ rb_get_ssl_certfp(rb_fde_t *const F, uint8_t certfp[const RB_SSL_CERTFP_LEN], co
 	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
 	case X509_V_ERR_CERT_UNTRUSTED:
+	case X509_V_ERR_INVALID_PURPOSE:
 		len = make_certfp(peer_cert, certfp, method);
 		// fallthrough
 	default:
