diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-03-23 23:00:53 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-03-23 23:33:11 +0100 |
commit | 8e6bd7a1027e425748afb967f5f8cd0240f97677 (patch) | |
tree | 36dcefe6f7959c3d940a460dbcddacf0605eb5e1 | |
parent | b6d0c3d3fa3668cf91f236fcab1c5d99d211434b (diff) | |
download | gnutls-8e6bd7a1027e425748afb967f5f8cd0240f97677.tar.gz |
ocsp: gnutls_ocsp_resp_verify_direct will skip additional checks for certificates matching issuer
That eliminates issue with ocsptool rejecting OCSP responses signed
by the same CA that signed the certificate. Reported by Thomas Klute.
-rw-r--r-- | lib/x509/ocsp.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index 7686a4e8f3..6bebcb4a86 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -2086,7 +2086,9 @@ gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, signercert = find_signercert(resp); if (!signercert) { signercert = issuer; - } else { /* response contains a signer. Verify him */ + } else if (!_gnutls_check_if_same_cert(signercert, issuer)) { + + /* response contains a signer. Verify him */ unsigned int vtmp; |