2 files changed, 18 insertions, 1 deletions

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 755ec78127..120ee33454 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1778,12 +1778,15 @@ gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res);
  * gnutls_certificate_flags:
  * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check.
  * @GNUTLS_CERTIFICATE_API_V2: If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero.
+ * @GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK: If set, the gnutls_certificate_set_ocsp_status_request_file
+ *    function, will not check whether the response set matches any of the certificates.
  *
  * Enumeration of different certificate credentials flags.
  */
 typedef enum gnutls_certificate_flags {
 	GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1,
-	GNUTLS_CERTIFICATE_API_V2 = (1<<1)
+	GNUTLS_CERTIFICATE_API_V2 = (1<<1),
+	GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK = (1<<2)
 } gnutls_certificate_flags;
 
 void gnutls_certificate_set_flags(gnutls_certificate_credentials_t,
diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c
index 1150bd4b84..e5c002f0fb 100644
--- a/lib/ocsp-api.c
+++ b/lib/ocsp-api.c
@@ -241,6 +241,9 @@ unsigned resp_matches_pcert(gnutls_ocsp_resp_t resp, const gnutls_pcert_st *cert
  * when multiple responses which apply to the chain are available.
  * If the response provided does not match any certificates present
  * in the chain, the code %GNUTLS_E_OCSP_MISMATCH_WITH_CERTS is returned.
+ * To force the previous behavior set the flag %GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK
+ * in the certificate credentials structure. In that case, only the
+ * end-certificates OCSP response can be set.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
  *   otherwise a negative error code is returned.
@@ -264,6 +267,17 @@ gnutls_certificate_set_ocsp_status_request_file(gnutls_certificate_credentials_t
 	if (ret < 0)
 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
 
+	if (sc->flags & GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK) {
+		/* quick load of first response */
+		gnutls_free(sc->certs[idx].ocsp_responses[0].data);
+
+		sc->certs[idx].ocsp_responses[0].data = der.data;
+		der.data = NULL;
+		sc->certs[idx].ocsp_responses[0].size = der.size;
+
+		return 0;
+	}
+
 	ret = gnutls_ocsp_resp_init(&resp);
 	if (ret < 0) {
 		gnutls_assert();