OpenSSL: fix OCSP stapling under DANE

author: Jeremy Harris <jgh146exb@wizmail.org> 2018-01-07 22:18:55 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2018-01-07 22:18:55 +0000
commit: 6fbf35995e5eca4887f35031f20ca5e85f16ba25 (patch)
tree: 152d4038893422d1153259511b33204f17a7bcdb /src
parent: 57887eccbbb5043d2a25777d081f54c870b256c8 (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index e269854ff..a542d4db0 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -540,8 +540,21 @@ DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
 #endif
 
 if (preverify_ok == 1)
-  tls_out.dane_verified =
-  tls_out.certificate_verified = TRUE;
+  {
+  tls_out.dane_verified = tls_out.certificate_verified = TRUE;
+#ifndef DISABLE_OCSP
+  if (client_static_cbinfo->u_ocsp.client.verify_store)
+    {	/* client, wanting stapling  */
+    /* Add the server cert's signing chain as the one
+    for the verification of the OCSP stapled information. */
+
+    if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
+                             cert))
+      ERR_clear_error();
+    sk_X509_push(client_static_cbinfo->verify_stack, cert);
+    }
+#endif
+  }
 else
   {
   int err = X509_STORE_CTX_get_error(x509ctx);
author	Jeremy Harris <jgh146exb@wizmail.org>	2018-01-07 22:18:55 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2018-01-07 22:18:55 +0000
commit	6fbf35995e5eca4887f35031f20ca5e85f16ba25 (patch)
tree	152d4038893422d1153259511b33204f17a7bcdb /src
parent	57887eccbbb5043d2a25777d081f54c870b256c8 (diff)