openssl: verifystatus: only use the OCSP work-around <= 1.0.2a

URL: http://curl.haxx.se/mail/lib-2015-03/0205.html Reported-by: Alessandro Ghedini
author: Daniel Stenberg <daniel@haxx.se> 2015-03-24 23:05:26 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2015-03-24 23:06:37 +0100
commit: bd9ac3cff2539bafb584ac4691151734792d312d (patch)
tree: df257c88de1689d2f6f143e4f60e00a08262afed /lib/vtls/openssl.c
parent: 7e6ca87a72431a0bae729bffc3c51a66074b6936 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 9a3f2c81a..d399e9aa5 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1360,6 +1360,7 @@ static CURLcode verifystatus(struct connectdata *conn,
   ch = SSL_get_peer_cert_chain(connssl->handle);
   st = SSL_CTX_get_cert_store(connssl->ctx);
 
+#if (OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */
   /* The authorized responder cert in the OCSP response MUST be signed by the
      peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
      no problem, but if it's an intermediate cert OpenSSL has a bug where it
@@ -1383,6 +1384,7 @@ static CURLcode verifystatus(struct connectdata *conn,
       }
     }
   }
+#endif
 
   if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
     failf(data, "OCSP response verification failed");
author	Daniel Stenberg <daniel@haxx.se>	2015-03-24 23:05:26 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2015-03-24 23:06:37 +0100
commit	bd9ac3cff2539bafb584ac4691151734792d312d (patch)
tree	df257c88de1689d2f6f143e4f60e00a08262afed /lib/vtls/openssl.c
parent	7e6ca87a72431a0bae729bffc3c51a66074b6936 (diff)