BUG/MINOR: ssl: ocsp response with 'revoked' status is correct

ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
is a correct status and should not be dropped.
In case of certificate with OCSP must-stapling extension, response with
'revoked' status must be provided as well as 'good' status.

This patch can be backported in 1.7, 1.6 and 1.5.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6096f4608ad935ba086cd903d767d2410ae447bd..7b8570c7490d2d8d8ea88976c43cd652cdb9d0c0 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -621,8 +621,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
        id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
 
        rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
-       if (rc != V_OCSP_CERTSTATUS_GOOD) {
-               memprintf(err, "OCSP single response: certificate status not good");
+       if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
+               memprintf(err, "OCSP single response: certificate status is unknown");
                goto out;
        }