diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-29 14:28:29 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-29 14:28:31 +0200 |
| commit | d7b649024f739303137c4fa0006009b3157373e0 (patch) | |
| tree | 4bebe6936088db95dbb2f3c7d213bc6809502149 /src/cli.c | |
| parent | b0041897d2846737f5fb0fdf5210c9faf1fc0438 (diff) | |
| download | gnutls-d7b649024f739303137c4fa0006009b3157373e0.tar.gz | |
gnutls-cli: save OCSP response at the time certificate is saved
That ensures that we always save the OCSP response, even when certificate
verification fails.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'src/cli.c')
| -rw-r--r-- | src/cli.c | 25 |
1 files changed, 17 insertions, 8 deletions
@@ -323,6 +323,7 @@ static int cert_verify_callback(gnutls_session_t session) int dane = ENABLED_OPT(DANE); int ca_verify = ENABLED_OPT(CA_VERIFICATION); const char *txt_service; + gnutls_datum_t oresp; /* On an session with TOFU the PKI/DANE verification * become advisory. @@ -332,10 +333,26 @@ static int cert_verify_callback(gnutls_session_t session) ssh = strictssh; } + /* Save certificate and OCSP response */ if (HAVE_OPT(SAVE_CERT)) { try_save_cert(session); } + rc = gnutls_ocsp_status_request_get(session, &oresp); + if (rc < 0) { + oresp.data = NULL; + oresp.size = 0; + } + + if (HAVE_OPT(SAVE_OCSP) && oresp.data) { + FILE *fp = fopen(OPT_ARG(SAVE_OCSP), "w"); + + if (fp != NULL) { + fwrite(oresp.data, 1, oresp.size, fp); + fclose(fp); + } + } + print_cert_info(session, verbose, print_cert); if (ca_verify) { @@ -1030,14 +1047,6 @@ print_other_info(gnutls_session_t session) fputs((char*)p.data, stdout); } - if (HAVE_OPT(SAVE_OCSP) && oresp.data) { - FILE *fp = fopen(OPT_ARG(SAVE_OCSP), "w"); - - if (fp != NULL) { - fwrite(oresp.data, 1, oresp.size, fp); - fclose(fp); - } - } } static void flush_socket(socket_st *hd, unsigned ms) |