From: Emmanuel Hocdet <manu@gandi.net>
Date: Tue, 10 Oct 2017 13:18:52 +0000 (+0200)
Subject: BUG/MINOR: ssl: ocsp response with 'revoked' status is correct
X-Git-Tag: v1.8-dev3~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=872085ce;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: ocsp response with 'revoked' status is correct

ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
is a correct status and should not be dropped.
In case of certificate with OCSP must-stapling extension, response with
'revoked' status must be provided as well as 'good' status.

This patch can be backported in 1.7, 1.6 and 1.5.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6096f4608a..7b8570c749 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -621,8 +621,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
 	id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
 
 	rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
-	if (rc != V_OCSP_CERTSTATUS_GOOD) {
-		memprintf(err, "OCSP single response: certificate status not good");
+	if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
+		memprintf(err, "OCSP single response: certificate status is unknown");
 		goto out;
 	}