HTTP: Fix OCSP status check
Due to a missing curly brackets, the OCSP status checking was not working in the expected way. Instead of allowing optional-OCSP configuration to accept connection when OCSP response was ready, all such cases were marked as hard failures. In addition, the debug prints were not necessarily accurate for the mandatory-OCSP-but-no-response case (CID 72694, CID 72704). Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
cb5ef952c8
commit
9c196f7703
1 changed files with 2 additions and 1 deletions
|
@ -1177,9 +1177,10 @@ static int ocsp_resp_cb(SSL *s, void *arg)
|
||||||
|
|
||||||
if (status == V_OCSP_CERTSTATUS_GOOD)
|
if (status == V_OCSP_CERTSTATUS_GOOD)
|
||||||
return 1;
|
return 1;
|
||||||
if (status == V_OCSP_CERTSTATUS_REVOKED)
|
if (status == V_OCSP_CERTSTATUS_REVOKED) {
|
||||||
ctx->last_err = "Server certificate has been revoked";
|
ctx->last_err = "Server certificate has been revoked";
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
if (ctx->ocsp == MANDATORY_OCSP) {
|
if (ctx->ocsp == MANDATORY_OCSP) {
|
||||||
wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
|
wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
|
||||||
ctx->last_err = "OCSP status unknown";
|
ctx->last_err = "OCSP status unknown";
|
||||||
|
|
Loading…
Reference in a new issue