OpenSSL: Reject OCSP-required configuration if no OCSP support

This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2015-08-18 02:24:06 +03:00 committed by Jouni Malinen
parent c07e7b43e9
commit 355a5c8ec5

View file

@ -3788,6 +3788,16 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb); SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn); SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
} }
#else /* HAVE_OCSP */
if (params->flags & TLS_CONN_REQUIRE_OCSP) {
wpa_printf(MSG_INFO,
"OpenSSL: No OCSP support included - reject configuration");
return -1;
}
if (params->flags & TLS_CONN_REQUEST_OCSP) {
wpa_printf(MSG_DEBUG,
"OpenSSL: No OCSP support included - allow optional OCSP case to continue");
}
#endif /* HAVE_OCSP */ #endif /* HAVE_OCSP */
conn->flags = params->flags; conn->flags = params->flags;