From 9c196f7703a44e510116e068b99be52ef69e404f Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 7 Sep 2014 18:30:58 +0300 Subject: [PATCH] HTTP: Fix OCSP status check Due to a missing curly brackets, the OCSP status checking was not working in the expected way. Instead of allowing optional-OCSP configuration to accept connection when OCSP response was ready, all such cases were marked as hard failures. In addition, the debug prints were not necessarily accurate for the mandatory-OCSP-but-no-response case (CID 72694, CID 72704). Signed-off-by: Jouni Malinen --- src/utils/http_curl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/utils/http_curl.c b/src/utils/http_curl.c index 1e767d5ab..0c18269da 100644 --- a/src/utils/http_curl.c +++ b/src/utils/http_curl.c @@ -1177,9 +1177,10 @@ static int ocsp_resp_cb(SSL *s, void *arg) if (status == V_OCSP_CERTSTATUS_GOOD) return 1; - if (status == V_OCSP_CERTSTATUS_REVOKED) + if (status == V_OCSP_CERTSTATUS_REVOKED) { ctx->last_err = "Server certificate has been revoked"; return 0; + } if (ctx->ocsp == MANDATORY_OCSP) { wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required"); ctx->last_err = "OCSP status unknown";