diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-09-28 19:00:19 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-09-28 19:00:19 +0200 |
| commit | dd3b2483a26a852dedb6223e4fcb389c0863998f (patch) | |
| tree | 1f66e26cb391618268214ee9d6d2f844ac89aa37 /src/cli.c | |
| parent | f7210341ee723faf157236ee36ef96a3317958d2 (diff) | |
| download | gnutls-dd3b2483a26a852dedb6223e4fcb389c0863998f.tar.gz | |
Use the server's OCSP provided data when verifying a certificate's validity.
Diffstat (limited to 'src/cli.c')
| -rw-r--r-- | src/cli.c | 25 |
1 files changed, 24 insertions, 1 deletions
@@ -403,7 +403,7 @@ cert_verify_callback (gnutls_session_t session) if (!insecure && !ssh) return -1; } - else if (ENABLED_OPT(OCSP)) + else if (ENABLED_OPT(OCSP) || status_request_ocsp) { /* off-line verification succeeded. Try OCSP */ rc = cert_verify_ocsp(session); if (rc == 0) @@ -1104,6 +1104,9 @@ const char* rest = NULL; record_max_size = OPT_VALUE_RECORDSIZE; status_request_ocsp = HAVE_OPT(STATUS_REQUEST_OCSP); + if (ENABLED_OPT(OCSP)) + status_request_ocsp = 1; + fingerprint = HAVE_OPT(FINGERPRINT); if (HAVE_OPT(X509FMTDER)) @@ -1482,6 +1485,26 @@ cert_verify_ocsp (gnutls_session_t session) ret = -1; goto cleanup; } + + if (status_request_ocsp) + { /* try the server's OCSP response */ + ret = gnutls_status_request_get_ocsp(session, &resp); + if (ret < 0 && !ENABLED_OPT(OCSP)) + { + if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + fprintf(stderr, "gnutls_status_request_get_ocsp: %s\n", gnutls_strerror(ret)); + ret = -1; + goto cleanup; + } + + if (ret >= 0) + { + ret = check_ocsp_response(issuer, &resp); + if (ret >= 0 || !ENABLED_OPT(OCSP)) + goto cleanup; + } + } + ret = send_ocsp_request(NULL, crt, issuer, &resp, 1); if (ret < 0) |