BUG/MINOR: ssl: ocsp response with 'revoked' status is correct
ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
is a correct status and should not be dropped.
In case of certificate with OCSP must-stapling extension, response with
'revoked' status must be provided as well as 'good' status.
This patch can be backported in 1.7, 1.6 and 1.5.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6096f46..7b8570c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -621,8 +621,8 @@
id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
- if (rc != V_OCSP_CERTSTATUS_GOOD) {
- memprintf(err, "OCSP single response: certificate status not good");
+ if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
+ memprintf(err, "OCSP single response: certificate status is unknown");
goto out;
}