CVSROOT: /cvs Module name: src Changes by: t...@cvs.openbsd.org 2020/08/03 13:27:58
Modified files: lib/libssl : ssl_tlsext.c Log message: Correctly handle server requests for an OCSP response According to RFC 8446, 4.4.2.1, a server may request that a client present an OCSP response with its certificate by sending an empty status_request extension as part of the certificate request. The current code expects a full CertificateStatus structure, which is only sent if the server sends an OCSP response with its certificate. This causes interoperability issues with Go's TLS server and with newer GnuTLS where we would abort the handshake with a decode_error alert and length mismatch error. Issue reported and diagnosed by Michael Forney Problem also found by Mikolaj Kucharski and inoguchi. ok inoguchi jsing