CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2020/08/03 13:27:58
Modified files:
lib/libssl : ssl_tlsext.c
Log message:
Correctly handle server requests for an OCSP response
According to RFC 8446, 4.4.2.1, a server may request that a client
present an OCSP response with its certificate by sending an empty
status_request extension as part of the certificate request. The
current code expects a full CertificateStatus structure, which is
only sent if the server sends an OCSP response with its certificate.
This causes interoperability issues with Go's TLS server and with
newer GnuTLS where we would abort the handshake with a decode_error
alert and length mismatch error.
Issue reported and diagnosed by Michael Forney
Problem also found by Mikolaj Kucharski and inoguchi.
ok inoguchi jsing
