diff options
| author | Daiki Ueno <ueno@gnu.org> | 2020-08-12 07:27:17 +0200 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2020-09-03 09:57:12 +0200 |
| commit | 57e6f805f5dbbf4414c72733604d38772c9dcccf (patch) | |
| tree | 206c615df17bf9851018dafa2e482f687344f832 | |
| parent | 04f26dd85ebe76c4a47afdf169ede4cc8f042e6d (diff) | |
| download | gnutls-57e6f805f5dbbf4414c72733604d38772c9dcccf.tar.gz | |
cert-session: fail hard if mandatory stapling is not honored
According to the documentation, the GNUTLS_CERT_INVALID flag must
always be set in case of verification failure, together with the flag
indicating the actual error cause.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
| -rw-r--r-- | lib/cert-session.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c index db04a25e5d..97f31597d5 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -415,6 +415,7 @@ _gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session, if (feature == 5 /* TLS ID for status request */) { /* We sent a status request, the certificate mandates a reply, but we did not get any. */ + *ocsp_status |= GNUTLS_CERT_INVALID; *ocsp_status |= GNUTLS_CERT_MISSING_OCSP_STATUS; break; } |