Commit bd9ac3cf authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

openssl: verifystatus: only use the OCSP work-around <= 1.0.2a 

URL: http://curl.haxx.se/mail/lib-2015-03/0205.html
Reported-by: Alessandro Ghedini
parent 7e6ca87a

lib/vtls/openssl.c

+2 −0
Original line number Diff line number Diff line
@@ -1360,6 +1360,7 @@ static CURLcode verifystatus(struct connectdata *conn, 
  ch = SSL_get_peer_cert_chain(connssl->handle);

  st = SSL_CTX_get_cert_store(connssl->ctx);



#if (OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */

  /* The authorized responder cert in the OCSP response MUST be signed by the

     peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,

     no problem, but if it's an intermediate cert OpenSSL has a bug where it
@@ -1383,6 +1384,7 @@ static CURLcode verifystatus(struct connectdata *conn, 
      }

    }

  }

#endif



  if(OCSP_basic_verify(br, ch, st, 0) <= 0) {

    failf(data, "OCSP response verification failed");