curl / Mailing Lists / curl-library / Single Mail

curl-library

OCSP and intermediate certs, libressl workaround no longer needed

From: Stuart Henderson via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 13 Jun 2017 10:48:00 +0100

lib/vtls/openssl.c has a workaround for a bug with OCSP responses
signed by intermediate certs, this was fixed in LibreSSL in
https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0

Would it be appropriate to adjust the #ifdef to avoid the workaround?

Index: lib/vtls/openssl.c
--- lib/vtls/openssl.c.orig
+++ lib/vtls/openssl.c
@@ -1371,7 +1371,7 @@ static CURLcode verifystatus(struct connectdata *conn,
   st = SSL_CTX_get_cert_store(connssl->ctx);
 
 #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
- defined(LIBRESSL_VERSION_NUMBER))
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2040200fL))
   /* The authorized responder cert in the OCSP response MUST be signed by the
      peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
      no problem, but if it's an intermediate cert OpenSSL has a bug where it

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-06-13