Bug 952808: Make CERT_CacheOCSPResponseFromSideChannel replace error entries when a better entry is passed in, r=wtcNSS_3_15_4_BETA10

author: Brian Smith <brian@briansmith.org> 2013-12-21 23:03:49 -0800
committer: Brian Smith <brian@briansmith.org> 2013-12-21 23:03:49 -0800
commit: e273f5335b323cddfe03fd4cbcfe581f4ad65c73 (patch)
tree: 542230520afc749ed6d3680f933e35dae56a3220
parent: 09c9c2b79216f5bb57ffa358fba5784d8dcc1dd9 (diff)
download: nss-hg-e273f5335b323cddfe03fd4cbcfe581f4ad65c73.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/certhigh/ocsp.c b/lib/certhigh/ocsp.c
index a52057aa6..d9c32890d 100644
--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -5209,8 +5209,12 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
     certID = CERT_CreateOCSPCertID(cert, time);
     if (!certID)
         return SECFailure;
+
+    /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached
+     * error entry is not interpreted as being a 'Good' entry here.
+     */
     rv = ocsp_GetCachedOCSPResponseStatus(
-        certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
+        certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */
         &rvOcsp, &dummy_error_code, &freshness);
     if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) {
         /* The cached value is good. We don't want to waste time validating
author	Brian Smith <brian@briansmith.org>	2013-12-21 23:03:49 -0800
committer	Brian Smith <brian@briansmith.org>	2013-12-21 23:03:49 -0800
commit	e273f5335b323cddfe03fd4cbcfe581f4ad65c73 (patch)
tree	542230520afc749ed6d3680f933e35dae56a3220
parent	09c9c2b79216f5bb57ffa358fba5784d8dcc1dd9 (diff)
download	nss-hg-e273f5335b323cddfe03fd4cbcfe581f4ad65c73.tar.gz