From 57e6f805f5dbbf4414c72733604d38772c9dcccf Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 12 Aug 2020 07:27:17 +0200 Subject: cert-session: fail hard if mandatory stapling is not honored According to the documentation, the GNUTLS_CERT_INVALID flag must always be set in case of verification failure, together with the flag indicating the actual error cause. Signed-off-by: Daiki Ueno --- lib/cert-session.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/cert-session.c b/lib/cert-session.c index db04a25e5d..97f31597d5 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -415,6 +415,7 @@ _gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session, if (feature == 5 /* TLS ID for status request */) { /* We sent a status request, the certificate mandates a reply, but we did not get any. */ + *ocsp_status |= GNUTLS_CERT_INVALID; *ocsp_status |= GNUTLS_CERT_MISSING_OCSP_STATUS; break; } -- cgit v1.2.1