check_cert_ocsp_resp() verified stapled OCSP responses with
OCSP_TRUSTOTHER while passing the peer-provided chain (ctx->chain),
which allowed certificates from that chain to be treated as trusted
OCSP responder signers.
similarly, the ocsp CLI issuer fallback path unconditionally used
OCSP_TRUSTOTHER, making certificates given via -issuer implicitly
trusted regardless of verify_flags.
remove OCSP_TRUSTOTHER from both paths so that responder authorization
is validated against the trust store.
Fixes: c6724060e267f "RT2206: Add -issuer flag to ocsp command"
Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs"
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 21:02:52 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
if (i <= 0 && issuers) {
- i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER);
+ i = OCSP_basic_verify(bs, issuers, store, verify_flags);
if (i > 0)
ERR_clear_error();
}
goto end;
}
- if (OCSP_basic_verify(bs, ctx->chain, ctx->store, OCSP_TRUSTOTHER) <= 0) {
+ if (OCSP_basic_verify(bs, ctx->chain, ctx->store, 0) <= 0) {
ret = X509_V_ERR_OCSP_SIGNATURE_FAILURE;
goto end;
}
projects / thirdparty / openssl.git / commitdiff
