OpenSSL: Reject OCSP-required configuration if no OCSP support
This is needed at least with BoringSSL to avoid accepting OCSP-required configuration with a TLS library that does not support OCSP stapling. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
c07e7b43e9
commit
355a5c8ec5
1 changed files with 10 additions and 0 deletions
|
|
@ -3788,6 +3788,16 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
||||||
SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
|
SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
|
||||||
SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
|
SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
|
||||||
}
|
}
|
||||||
|
#else /* HAVE_OCSP */
|
||||||
|
if (params->flags & TLS_CONN_REQUIRE_OCSP) {
|
||||||
|
wpa_printf(MSG_INFO,
|
||||||
|
"OpenSSL: No OCSP support included - reject configuration");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (params->flags & TLS_CONN_REQUEST_OCSP) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"OpenSSL: No OCSP support included - allow optional OCSP case to continue");
|
||||||
|
}
|
||||||
#endif /* HAVE_OCSP */
|
#endif /* HAVE_OCSP */
|
||||||
|
|
||||||
conn->flags = params->flags;
|
conn->flags = params->flags;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue