summaryrefslogtreecommitdiff
path: root/src/cli.c
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2017-06-29 14:28:29 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2017-06-29 14:28:31 +0200
commitd7b649024f739303137c4fa0006009b3157373e0 (patch)
tree4bebe6936088db95dbb2f3c7d213bc6809502149 /src/cli.c
parentb0041897d2846737f5fb0fdf5210c9faf1fc0438 (diff)
downloadgnutls-d7b649024f739303137c4fa0006009b3157373e0.tar.gz
gnutls-cli: save OCSP response at the time certificate is saved
That ensures that we always save the OCSP response, even when certificate verification fails. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'src/cli.c')
-rw-r--r--src/cli.c25
1 files changed, 17 insertions, 8 deletions
diff --git a/src/cli.c b/src/cli.c
index 435f49474f..7fb73d4f7e 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -323,6 +323,7 @@ static int cert_verify_callback(gnutls_session_t session)
int dane = ENABLED_OPT(DANE);
int ca_verify = ENABLED_OPT(CA_VERIFICATION);
const char *txt_service;
+ gnutls_datum_t oresp;
/* On an session with TOFU the PKI/DANE verification
* become advisory.
@@ -332,10 +333,26 @@ static int cert_verify_callback(gnutls_session_t session)
ssh = strictssh;
}
+ /* Save certificate and OCSP response */
if (HAVE_OPT(SAVE_CERT)) {
try_save_cert(session);
}
+ rc = gnutls_ocsp_status_request_get(session, &oresp);
+ if (rc < 0) {
+ oresp.data = NULL;
+ oresp.size = 0;
+ }
+
+ if (HAVE_OPT(SAVE_OCSP) && oresp.data) {
+ FILE *fp = fopen(OPT_ARG(SAVE_OCSP), "w");
+
+ if (fp != NULL) {
+ fwrite(oresp.data, 1, oresp.size, fp);
+ fclose(fp);
+ }
+ }
+
print_cert_info(session, verbose, print_cert);
if (ca_verify) {
@@ -1030,14 +1047,6 @@ print_other_info(gnutls_session_t session)
fputs((char*)p.data, stdout);
}
- if (HAVE_OPT(SAVE_OCSP) && oresp.data) {
- FILE *fp = fopen(OPT_ARG(SAVE_OCSP), "w");
-
- if (fp != NULL) {
- fwrite(oresp.data, 1, oresp.size, fp);
- fclose(fp);
- }
- }
}
static void flush_socket(socket_st *hd, unsigned ms)