diff options
author | Brian Smith <brian@briansmith.org> | 2013-12-21 23:03:49 -0800 |
---|---|---|
committer | Brian Smith <brian@briansmith.org> | 2013-12-21 23:03:49 -0800 |
commit | e273f5335b323cddfe03fd4cbcfe581f4ad65c73 (patch) | |
tree | 542230520afc749ed6d3680f933e35dae56a3220 | |
parent | 09c9c2b79216f5bb57ffa358fba5784d8dcc1dd9 (diff) | |
download | nss-hg-e273f5335b323cddfe03fd4cbcfe581f4ad65c73.tar.gz |
Bug 952808: Make CERT_CacheOCSPResponseFromSideChannel replace error entries when a better entry is passed in, r=wtcNSS_3_15_4_BETA10
-rw-r--r-- | lib/certhigh/ocsp.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/certhigh/ocsp.c b/lib/certhigh/ocsp.c index a52057aa6..d9c32890d 100644 --- a/lib/certhigh/ocsp.c +++ b/lib/certhigh/ocsp.c @@ -5209,8 +5209,12 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, certID = CERT_CreateOCSPCertID(cert, time); if (!certID) return SECFailure; + + /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached + * error entry is not interpreted as being a 'Good' entry here. + */ rv = ocsp_GetCachedOCSPResponseStatus( - certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */ + certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */ &rvOcsp, &dummy_error_code, &freshness); if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) { /* The cached value is good. We don't want to waste time validating |