cert-session: fail hard if mandatory stapling is not honored

According to the documentation, the GNUTLS_CERT_INVALID flag must
always be set in case of verification failure, together with the flag
indicating the actual error cause.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/cert-session.c b/lib/cert-session.c
index db04a25e5de29631f2face7965523ab27dfb7422..97f31597d5214dfbbce8ed66982a56b8c6532187 100644 (file)
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -415,6 +415,7 @@ _gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session,
 
                        if (feature == 5 /* TLS ID for status request */) {
                                /* We sent a status request, the certificate mandates a reply, but we did not get any. */
+                               *ocsp_status |= GNUTLS_CERT_INVALID;
                                *ocsp_status |= GNUTLS_CERT_MISSING_OCSP_STATUS;
                                break;
                        }