diff options
author | Daiki Ueno <ueno@gnu.org> | 2020-08-12 07:27:17 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2020-08-12 07:31:23 +0200 |
commit | 8fccb481601eea346f3598a969371b90baeb08e1 (patch) | |
tree | 472e8fc40294aa18e8d1874d8876dc45795bb035 /lib | |
parent | 606b77a2422c7e4124d80904bd191184323205fc (diff) | |
download | gnutls-8fccb481601eea346f3598a969371b90baeb08e1.tar.gz |
cert-session: fail hard if mandatory stapling is not honored
According to the documentation, the GNUTLS_CERT_INVALID flag must
always be set in case of verification failure, together with the flag
indicating the actual error cause.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/cert-session.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c index db04a25e5d..97f31597d5 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -415,6 +415,7 @@ _gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session, if (feature == 5 /* TLS ID for status request */) { /* We sent a status request, the certificate mandates a reply, but we did not get any. */ + *ocsp_status |= GNUTLS_CERT_INVALID; *ocsp_status |= GNUTLS_CERT_MISSING_OCSP_STATUS; break; } |