DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

OpenSSL: Allow no OCSP response when resuming a session with TLS 1.3

Browse source 
TLS 1.3 sends the OCSP response with the server Certificate message.
Since that Certificate message is not sent when resuming a session,
there can be no new OCSP response. Allow this since the OCSP response
was validated when checking the initial certificate exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-05-02 16:54:13 +03:00 committed by Jouni Malinen
parent 2be1bcaf74
commit 10746875e2
1 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/crypto/tls_openssl.c
View file

@ -4980,6 +4980,17 @@ static int ocsp_resp_cb(SSL *s, void *arg)
len = SSL_get_tlsext_status_ocsp_resp(s, &p); len = SSL_get_tlsext_status_ocsp_resp(s, &p);
if (!p) { if (!p) {
if (SSL_version(s) == TLS1_3_VERSION && SSL_session_reused(s)) {
/* TLS 1.3 sends the OCSP response with the server
* Certificate message. Since that Certificate message
* is not sent when resuming a session, there can be no
* new OCSP response. Allow this since the OCSP response
* was validated when checking the initial certificate
* exchange. */
wpa_printf(MSG_DEBUG,
"OpenSSL: Allow no OCSP response when using TLS 1.3 and a resumed session");
return 1;
}
wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received"); wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1; return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
} }