From bd9ac3cff2539bafb584ac4691151734792d312d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 24 Mar 2015 23:05:26 +0100 Subject: [PATCH] openssl: verifystatus: only use the OCSP work-around <= 1.0.2a URL: http://curl.haxx.se/mail/lib-2015-03/0205.html Reported-by: Alessandro Ghedini --- lib/vtls/openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 9a3f2c81a..d399e9aa5 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1360,6 +1360,7 @@ static CURLcode verifystatus(struct connectdata *conn, ch = SSL_get_peer_cert_chain(connssl->handle); st = SSL_CTX_get_cert_store(connssl->ctx); +#if (OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ /* The authorized responder cert in the OCSP response MUST be signed by the peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert, no problem, but if it's an intermediate cert OpenSSL has a bug where it @@ -1383,6 +1384,7 @@ static CURLcode verifystatus(struct connectdata *conn, } } } +#endif if(OCSP_basic_verify(br, ch, st, 0) <= 0) { failf(data, "OCSP response verification failed");