Hi Willy,
On 10/22/2017 10:02 AM, Willy Tarreau wrote:
> Hi Manu,
>
> On Tue, Oct 10, 2017 at 03:44:07PM +0200, Emmanuel Hocdet wrote:
>> Hi Emeric,
>>
>>
>> ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
>> is a correct status and ocsp response should not be dropped.
>> In case of certificate with OCSP must-stapling extension, response with
>> 'revoked' status must be provided as well as 'good' status.
> given that it looks like a bug, I merged it and re-tagged it with BUG.
The manpage says:
"OCSP_single_get0_status() returns the status of single or -1 if an
error occurred."
With this change, the -1 case is not handled correctly anymore it seems?
I am not sure if it will ever happen, but I have attached a patch for it.
Regards,
Sander
>From 3ed07896ac1f5730dc34900988ae255c7462f8ff Mon Sep 17 00:00:00 2001
From: Sander Hoentjen
Date: Mon, 23 Oct 2017 10:45:46 +0200
Subject: [PATCH] BUG/MINOR: ssl: catch failure of OCSP_single_get0_status
The manpage says:
"OCSP_single_get0_status() returns the status of single or -1 if an error
occurred." So we must handle -1 as well.
---
src/ssl_sock.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7b8570c74..5fb82fd62 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -625,6 +625,10 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
memprintf(err, "OCSP single response: certificate status is unknown");
goto out;
}
+ else if (rc == -1) {
+ memprintf(err, "OCSP single response: certificate status request failed");
+ goto out;
+ }
if (!nextupd) {
memprintf(err, "OCSP single response: missing nextupdate");
--
2.13.6