[gnutls-devel] [PATCH] OCSP check the whole cert chain
nmav at gnutls.org
Wed Feb 4 10:15:26 CET 2015
On Mon, 2015-02-02 at 16:27 +0100, Tim Ruehsen wrote:
> please have a look at src/cli.c/cert_verify_ocsp().
> You changed the last line in this function in a way, that if there are revoked
> certs in the chain but at least one not-revoked cert, the function returns
> 'ok'. Which it should not and which it did not in my patch.
Indeed, I was trying to address the issue of having unknown status in an
OCSP response. I'll have to treat revoked and unknown as different.
More information about the Gnutls-devel