From 9f54ad8f15172d52cc0df9de8b65887c13a54a90 Mon Sep 17 00:00:00 2001 From: Stuart Henderson Date: Tue, 13 Jun 2017 12:06:03 +0200 Subject: libressl: OCSP and intermediate certs workaround no longer needed lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed by intermediate certs, this was fixed in LibreSSL in https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0 Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html --- lib/vtls/openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 9def5ab66..dbee36929 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1371,7 +1371,8 @@ static CURLcode verifystatus(struct connectdata *conn, st = SSL_CTX_get_cert_store(connssl->ctx); #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \ - defined(LIBRESSL_VERSION_NUMBER)) + (defined(LIBRESSL_VERSION_NUMBER) && \ + LIBRESSL_VERSION_NUMBER <= 0x2040200fL)) /* The authorized responder cert in the OCSP response MUST be signed by the peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert, no problem, but if it's an intermediate cert OpenSSL has a bug where it -- cgit v1.2.3