kozorizki/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MINOR: ssl: ocsp response with 'revoked' status is correct

Browse Source 
ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
is a correct status and should not be dropped.
In case of certificate with OCSP must-stapling extension, response with
'revoked' status must be provided as well as 'good' status.

This patch can be backported in 1.7, 1.6 and 1.5.
This commit is contained in:
Emmanuel Hocdet 2017-10-10 15:18:52 +02:00 committed by Willy Tarreau
parent cbc6524a19
commit 872085ce37
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssl_sock.c
View File

@ -621,8 +621,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
if (rc != V_OCSP_CERTSTATUS_GOOD) {
memprintf(err, "OCSP single response: certificate status not good");
if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
memprintf(err, "OCSP single response: certificate status is unknown");
goto out;
}