On ven, gen 16, 2015 at 11:27:24 +0100, Daniel Stenberg wrote: > On Thu, 15 Jan 2015, Alessandro Ghedini wrote: > > >This new version returns an error when trying to set the > >CURLOPT_SSL_VERIFYSTATUS option if the SSL backend doesn't support the > >status_request extension. I also updated the CURLOPT_SSL_VERIFYSTATUS > >manpage to reflect this. > > I merged your patches just now with some minor edits.
Nice, thanks! > Now, let's get back to that OpenSSL version of the OCSP patch to see where > we are with that and how to get it right! So, I just rebased and updated the OpenSSL patch [0]. Of course the original problem that openssl doesn't like non-trusted signer certificates (even if they are validated by a certificate in the trust store) persists. The work-around is to use a special flag OCSP_TRUSTOTHER which basically means that we can pass additional certificates to the OCSP verify function which would be considered as trusted. This means that no checks at all are performed on those certificates. Unfortunately OCSP_TRUSTOTHER doesn't always work for some weird OCSP responses (e.g. those from DigiCert/Cloudflare). The proper solution would be to get openssl fixed of course (other projects such as nginx seems to be affected by this as well) but that may take a lot of time. Cheers [0] https://github.com/ghedo/curl/commit/status_request
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
