BUG/MINOR: ssl: ocsp response with 'revoked' status is correct ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status is a correct status and should not be dropped. In case of certificate with OCSP must-stapling extension, response with 'revoked' status must be provided as well as 'good' status. This patch can be backported in 1.7, 1.6 and 1.5.

commit: 872085ce375c76723ff023d2a79e9d9a0852aa98 [log] [tgz]
author: Emmanuel Hocdet <manu@gandi.net> Tue Oct 10 15:18:52 2017 +0200
committer: Willy Tarreau <w@1wt.eu> Sun Oct 22 10:01:26 2017 +0200
tree: 0be128be81e95c0771990c9faafaa501302d272a
parent: cbc6524a198400b96c28d226a0a042687b622dc0 [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6096f46..7b8570c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -621,8 +621,8 @@
 	id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
 
 	rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
-	if (rc != V_OCSP_CERTSTATUS_GOOD) {
-		memprintf(err, "OCSP single response: certificate status not good");
+	if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
+		memprintf(err, "OCSP single response: certificate status is unknown");
 		goto out;
 	}
commit	872085ce375c76723ff023d2a79e9d9a0852aa98	[log] [tgz]
author	Emmanuel Hocdet <manu@gandi.net>	Tue Oct 10 15:18:52 2017 +0200
committer	Willy Tarreau <w@1wt.eu>	Sun Oct 22 10:01:26 2017 +0200
tree	0be128be81e95c0771990c9faafaa501302d272a
parent	cbc6524a198400b96c28d226a0a042687b622dc0 [diff]