From: Nikos Mavrogiannopoulos Date: Wed, 23 Mar 2016 22:00:53 +0000 (+0100) Subject: ocsp: gnutls_ocsp_resp_verify_direct will skip additional checks for certificates... X-Git-Tag: gnutls_3_5_0~235 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ed53e44f7cedd04bf3e21744fa1971b5620701ac;p=thirdparty%2Fgnutls.git ocsp: gnutls_ocsp_resp_verify_direct will skip additional checks for certificates matching issuer That eliminates issue with ocsptool rejecting OCSP responses signed by the same CA that signed the certificate. Reported by Thomas Klute. --- diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index 8049e24e91..7e762bbfef 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -2086,7 +2086,9 @@ gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, signercert = find_signercert(resp); if (!signercert) { signercert = issuer; - } else { /* response contains a signer. Verify him */ + } else if (!_gnutls_check_if_same_cert(signercert, issuer)) { + + /* response contains a signer. Verify him */ unsigned int vtmp;