upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-21 22:28:41 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

BUG/MINOR: ssl: OCSP_single_get0_status can return -1

Browse source 
Commit 872085ce "BUG/MINOR: ssl: ocsp response with 'revoked' status is correct"
introduce a regression. OCSP_single_get0_status can return -1 and haproxy must
generate an error in this case.
Thanks to Sander Hoentjen who have spotted the regression.

This patch should be backported in 1.7, 1.6 and 1.5 if the patch above is
backported.
This commit is contained in:
Emmanuel Hocdet 2017-10-24 14:57:16 +02:00 committed by Willy Tarreau
parent 019f9b10ef
commit ef60705075
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/ssl_sock.c
View file

@ -622,7 +622,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
if (rc != V_OCSP_CERTSTATUS_GOOD && rc != V_OCSP_CERTSTATUS_REVOKED) {
memprintf(err, "OCSP single response: certificate status is unknown");
goto out;
}