Commit d771b44e authored by Steve Holme's avatar Steve Holme
Browse files

openssl: Disable OCSP in old versions of OpenSSL 

Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.
parent 7eebf9a3

lib/vtls/openssl.c

+8 −4
Original line number Diff line number Diff line
@@ -1323,7 +1323,8 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) 
  return result;

}



#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT)

#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \

    !defined(HAVE_BORINGSSL)

static CURLcode verifystatus(struct connectdata *conn,

                             struct ssl_connect_data *connssl)

{
@@ -2060,7 +2061,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) 
    return CURLE_OUT_OF_MEMORY;

  }



#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT)

#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \

    !defined(HAVE_BORINGSSL)

  if(data->set.ssl.verifystatus)

    SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);

#endif
@@ -2748,7 +2750,8 @@ static CURLcode servercert(struct connectdata *conn, 
      infof(data, "\t SSL certificate verify ok.\n");

  }



#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT)

#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \

    !defined(HAVE_BORINGSSL)

  if(data->set.ssl.verifystatus) {

    result = verifystatus(conn, connssl);

    if(result) {
@@ -3202,7 +3205,8 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */ 


bool Curl_ossl_cert_status_request(void)

{

#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT)

#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \

    !defined(HAVE_BORINGSSL)

  return TRUE;

#else

  return FALSE;