From d646d5a130993b8c438aa193463556e5efb2a54b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 31 Oct 2025 17:09:31 +0100
Subject: [PATCH] openssl: fix the ocsp len arg to Curl_vtls_apple_verify

If it has no data, pass in a zero.

Fixes #19303
Reported-by: Harry Sintonen
Closes #19305
---
 lib/vtls/openssl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 838c024221..a2b2da00e0 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -5129,6 +5129,10 @@ static CURLcode ossl_apple_verify(struct Curl_cfilter *cf,
     if(conn_config->verifystatus && !octx->reused_session)
       ocsp_len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &ocsp_data);
 
+    /* SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP
+       response data or -1 if there is no OCSP response data. */
+    if(ocsp_len < 0)
+      ocsp_len = 0; /* no data available */
     result = Curl_vtls_apple_verify(cf, data, peer, chain.num_certs,
                                     ossl_chain_get_der, &chain,
                                     ocsp_data, ocsp_len);
-- 
2.47.3