curl / Mailing Lists / curl-library / Single Mail


Re: OCSP and intermediate certs, libressl workaround no longer needed

From: Stuart Henderson via curl-library <>
Date: Tue, 13 Jun 2017 11:47:51 +0100

On 2017/06/13 12:11, Daniel Stenberg wrote:
> On Tue, 13 Jun 2017, Stuart Henderson via curl-library wrote:
> > lib/vtls/openssl.c has a workaround for a bug with OCSP responses
> > signed by intermediate certs, this was fixed in LibreSSL in
> >
> >
> > Would it be appropriate to adjust the #ifdef to avoid the workaround?
> It looks fine to me. I take it you've tested this code with a new enough
> libressl version and seen it working too?

I am able to connect to a site with a letsencrypt-signed cert with
--cacert pointing to a file containing only the DST Root CA. From what
I understand I think that should be a valid test.

$ curl -I --cacert /tmp/dst.pem --cert-status -v 2>&1 | grep ^..SSL.cert
* SSL certificate status: good (0)

Received on 2017-06-13