From 872085ce375c76723ff023d2a79e9d9a0852aa98 Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Tue, 10 Oct 2017 15:18:52 +0200 Subject: [PATCH] BUG/MINOR: ssl: ocsp response with 'revoked' status is correct ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status is a correct status and should not be dropped. In case of certificate with OCSP must-stapling extension, response with 'revoked' status must be provided as well as 'good' status. This patch can be backported in 1.7, 1.6 and 1.5. --- src/ssl_sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 6096f4608a..7b8570c749 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -621,8 +621,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr); rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd); - if (rc != V_OCSP_CERTSTATUS_GOOD) { - memprintf(err, "OCSP single response: certificate status not good"); + if (rc == V_OCSP_CERTSTATUS_UNKNOWN) { + memprintf(err, "OCSP single response: certificate status is unknown"); goto out; } -- 2.39.5