From 91e04a24af06de3e3959fdf2e6e84c0c894c439a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Igor=20Anic=CC=81?= <igor.anic@gmail.com>
Date: Fri, 17 Oct 2025 16:33:06 +0200
Subject: [PATCH] skip certificate which is not part of the chain

Fixes: 25606

Browsers and curl ignore extra irrelevant certificates in the chain.

This fix skips certificate which is not part of the chain. Remaining
certificates still form an unbroken chain of signatures with the
last one trusted by root CA.

Some other domain which also have extra certificates in the chain:
 - jhu.edu
 - last.fm
 - terra.com.br
---
 lib/std/crypto/tls/Client.zig | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/std/crypto/tls/Client.zig b/lib/std/crypto/tls/Client.zig
index b697d624fa1a..f4340b7d0302 100644
--- a/lib/std/crypto/tls/Client.zig
+++ b/lib/std/crypto/tls/Client.zig
@@ -637,7 +637,14 @@ pub fn init(input: *Reader, output: *Writer, options: Options) InitError!Client
                                 // certificate_verify message later.
                                 try main_cert_pub_key.init(subject.pub_key_algo, subject.pubKey());
                             } else {
-                                try prev_cert.verify(subject, now_sec);
+                                prev_cert.verify(subject, now_sec) catch |err| switch (err) {
+                                    error.CertificateIssuerMismatch => {
+                                        // Skip certificate which is not part of the chain
+                                        cert_index += 1;
+                                        continue;
+                                    },
+                                    else => |e| return e,
+                                };
                             }
 
                             switch (options.ca) {