Commit ac2827ac authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

openssl: do the OCSP work-around for libressl too 

I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to
still require the work-around for stapling to work.
parent bd9ac3cf

lib/vtls/openssl.c

+2 −1
Original line number Diff line number Diff line
@@ -1360,7 +1360,8 @@ static CURLcode verifystatus(struct connectdata *conn, 
  ch = SSL_get_peer_cert_chain(connssl->handle);

  st = SSL_CTX_get_cert_store(connssl->ctx);



#if (OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */

#if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \

     defined(LIBRESSL_VERSION_NUMBER))

  /* The authorized responder cert in the OCSP response MUST be signed by the

     peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,

     no problem, but if it's an intermediate cert OpenSSL has a bug where it