Disable OCSP if optionalNoCA is used
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 2af4d25..5052c5e 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -309,15 +309,14 @@
con->pha_state = PHA_COMPLETE;
#endif
- if (verify == SSL_CVERIFY_UNSET ||
- verify == SSL_CVERIFY_NONE) {
+ if (verify == SSL_CVERIFY_UNSET || verify == SSL_CVERIFY_NONE) {
return 1;
}
- if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) &&
- (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
- ok = 1;
+ if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
SSL_set_verify_result(ssl, X509_V_OK);
+ // Skip OCSP checks since the CA is optional
+ return 1;
}
/*
diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml
index 5bb4b7e..125e360 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -33,6 +33,11 @@
</section>
<section name="Changes in 2.0.6">
<changelog>
+ <fix>
+ <bug>67061</bug>: If the insecure optionalNoCA certificate verification
+ mode is used, disable OCSP if enabled else client certificates from
+ unknown certificate authorities will be rejected. (markt)
+ </fix>
</changelog>
</section>
<section name="Changes in 2.0.5">
