From aa80ef20504660fa55914d40fb4bb296eef94c59 Mon Sep 17 00:00:00 2001
From: Brendan Shanks <bshanks@codeweavers.com>
Date: Tue, 16 Jun 2020 13:48:22 -0700
Subject: [PATCH] winhttp: Treat a partial certificate chain as having an
 unknown/invalid CA.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46726
Signed-off-by: Brendan Shanks <bshanks@codeweavers.com>
Signed-off-by: Hans Leidekker <hans@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/winhttp/net.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dlls/winhttp/net.c b/dlls/winhttp/net.c
index 2905d5c535a..0cc2bb2bef7 100644
--- a/dlls/winhttp/net.c
+++ b/dlls/winhttp/net.c
@@ -84,8 +84,10 @@ static DWORD netconn_verify_cert( PCCERT_CONTEXT cert, WCHAR *server, DWORD secu
                 if (!(security_flags & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID))
                     err = ERROR_WINHTTP_SECURE_CERT_DATE_INVALID;
             }
-            else if (chain->TrustStatus.dwErrorStatus &
-                     CERT_TRUST_IS_UNTRUSTED_ROOT)
+            else if ((chain->TrustStatus.dwErrorStatus &
+                      CERT_TRUST_IS_UNTRUSTED_ROOT) ||
+                     (chain->TrustStatus.dwErrorStatus &
+                      CERT_TRUST_IS_PARTIAL_CHAIN))
             {
                 if (!(security_flags & SECURITY_FLAG_IGNORE_UNKNOWN_CA))
                     err = ERROR_WINHTTP_SECURE_INVALID_CA;