mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
URL: http://curl.haxx.se/mail/lib-2015-03/0205.html Reported-by: Alessandro Ghedini
This commit is contained in:
parent
7e6ca87a72
commit
bd9ac3cff2
@ -1360,6 +1360,7 @@ static CURLcode verifystatus(struct connectdata *conn,
|
||||
ch = SSL_get_peer_cert_chain(connssl->handle);
|
||||
st = SSL_CTX_get_cert_store(connssl->ctx);
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */
|
||||
/* The authorized responder cert in the OCSP response MUST be signed by the
|
||||
peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
|
||||
no problem, but if it's an intermediate cert OpenSSL has a bug where it
|
||||
@ -1383,6 +1384,7 @@ static CURLcode verifystatus(struct connectdata *conn,
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
|
||||
failf(data, "OCSP response verification failed");
|
||||
|
Loading…
Reference in New Issue
Block a user