From 6f45cb995b51039df76873ca2ef6bfde2bc90941 Mon Sep 17 00:00:00 2001
From: Jonathan Bennett <JBennett@incomsystems.biz>
Date: Fri, 24 Jan 2020 09:12:03 -0600
Subject: [PATCH 1/2] Allow loading symlinked certificates

When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes #3005.

This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
---
 library/x509_crt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 9c2e36547..a4202be37 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1366,7 +1366,7 @@ cleanup:
             goto cleanup;
         }
 
-        if( !S_ISREG( sb.st_mode ) )
+        if( !( S_ISREG( sb.st_mode ) || S_ISLNK( sb.st_mode ) ) )
             continue;
 
         // Ignore parse errors

From 68a24eba000b00bedfccada89b530efc8c14a548 Mon Sep 17 00:00:00 2001
From: Jaeden Amero <jaeden.amero@arm.com>
Date: Fri, 24 Jan 2020 18:20:22 +0000
Subject: [PATCH 2/2] Add ChangeLog entry

Add a ChangeLog entry for Jonathan Bennett's contribution which allows
loading symlinked certificates.
---
 ChangeLog | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index ef2e7b73f..36e63930e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.16.X branch released XXXX-XX-XX
+
+Bugfix
+   * Allow loading symlinked certificates. Fixes #3005. Reported and fixed
+     by Jonathan Bennett <JBennett@incomsystems.biz> via #3008.
+
 = mbed TLS 2.16.5 branch released xxxx-xx-xx
 
 Security