Hi Willy,
On 10/22/2017 10:02 AM, Willy Tarreau wrote: > Hi Manu, > > On Tue, Oct 10, 2017 at 03:44:07PM +0200, Emmanuel Hocdet wrote: >> Hi Emeric, >> >> >> ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status >> is a correct status and ocsp response should not be dropped. >> In case of certificate with OCSP must-stapling extension, response with >> 'revoked' status must be provided as well as 'good' status. > given that it looks like a bug, I merged it and re-tagged it with BUG. The manpage says: "OCSP_single_get0_status() returns the status of single or -1 if an error occurred." With this change, the -1 case is not handled correctly anymore it seems? I am not sure if it will ever happen, but I have attached a patch for it. Regards, Sander
>From 3ed07896ac1f5730dc34900988ae255c7462f8ff Mon Sep 17 00:00:00 2001 From: Sander Hoentjen <[email protected]> Date: Mon, 23 Oct 2017 10:45:46 +0200 Subject: [PATCH] BUG/MINOR: ssl: catch failure of OCSP_single_get0_status The manpage says: "OCSP_single_get0_status() returns the status of single or -1 if an error occurred." So we must handle -1 as well. --- src/ssl_sock.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7b8570c74..5fb82fd62 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -625,6 +625,10 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi memprintf(err, "OCSP single response: certificate status is unknown"); goto out; } + else if (rc == -1) { + memprintf(err, "OCSP single response: certificate status request failed"); + goto out; + } if (!nextupd) { memprintf(err, "OCSP single response: missing nextupdate"); -- 2.13.6
