MINOR: ssl: Only set ocsp->issuer if issuer not in cert chain

If the ocsp issuer certificate was actually taken from the certificate
chain in ssl_sock_load_ocsp, we don't need to keep an extra reference on
it since we already keep a reference to the full certificate chain.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bf7bb0135a7f4b2d5ae7ebde0fddd2391c066cc2..efa31eaffed955ef0d9d40325b7d822e8f3a86ee 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1244,8 +1244,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
                /* Do not insert the same certificate_ocsp structure in the
                 * update tree more than once. */
                if (!ocsp) {
-                       iocsp->issuer = issuer;
-                       X509_up_ref(issuer);
+                       /* Issuer certificate is not included in the certificate
+                        * chain, it will have to be treated separately during
+                        * ocsp response validation. */
+                       if (issuer == data->ocsp_issuer) {
+                               iocsp->issuer = issuer;
+                               X509_up_ref(issuer);
+                       }
                        if (data->chain)
                                iocsp->chain = X509_chain_up_ref(data->chain);