#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
static CURLcode verifystatus(struct Curl_cfilter *cf,
- struct Curl_easy *data)
+ struct Curl_easy *data,
+ struct ossl_ctx *octx)
{
- struct ssl_connect_data *connssl = cf->ctx;
int i, ocsp_status;
#if defined(OPENSSL_IS_AWSLC)
const uint8_t *status;
OCSP_BASICRESP *br = NULL;
X509_STORE *st = NULL;
STACK_OF(X509) *ch = NULL;
- struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
X509 *cert;
OCSP_CERTID *id = NULL;
int cert_status, crl_reason;
int ret;
long len;
+ (void)cf;
DEBUGASSERT(octx);
len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &status);
!defined(OPENSSL_NO_OCSP)
if(conn_config->verifystatus && !octx->reused_session) {
/* don't do this after Session ID reuse */
- result = verifystatus(cf, data);
+ result = verifystatus(cf, data, octx);
if(result) {
/* when verifystatus failed, remove the session id from the cache again
if present */
assert r.json['SSL_CIPHER'] in cipher_names, f'{r.json}'
else:
assert r.exit_code != 0, f'{r}'
+
+ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+ def test_17_08_cert_status(self, env: Env, httpd, nghttpx, repeat, proto):
+ if proto == 'h3' and not env.have_h3():
+ pytest.skip("h3 not supported")
+ if not env.curl_uses_lib('openssl') and \
+ not env.curl_uses_lib('gnutls') and \
+ not env.curl_uses_lib('quictls'):
+ pytest.skip("tls library does not support --cert-status")
+ curl = CurlClient(env=env)
+ domain = f'localhost'
+ url = f'https://{env.authority_for(domain, proto)}/'
+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+ '--cert-status'
+ ])
+ # CURLE_SSL_INVALIDCERTSTATUS, our certs have no OCSP info
+ assert r.exit_code == 91, f'{r}'
projects / thirdparty / curl.git / commitdiff
