On 2017/06/13 12:11, Daniel Stenberg wrote: > On Tue, 13 Jun 2017, Stuart Henderson via curl-library wrote: > > > lib/vtls/openssl.c has a workaround for a bug with OCSP responses > > signed by intermediate certs, this was fixed in LibreSSL in > > https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0 > > > > Would it be appropriate to adjust the #ifdef to avoid the workaround? > > It looks fine to me. I take it you've tested this code with a new enough > libressl version and seen it working too?
I am able to connect to a site with a letsencrypt-signed cert with --cacert pointing to a file containing only the DST Root CA. From what I understand I think that should be a valid test. $ curl -I --cacert /tmp/dst.pem --cert-status -v https://spacehopper.org/ 2>&1 | grep ^..SSL.cert * SSL certificate status: good (0) ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
