--- /dev/null
+From 5e64b73ef7cdaf20b998b3345a588b462fd30bfb Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Tue, 7 May 2019 22:55:41 +0100
+Subject: [PATCH] GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp
+
+(cherry picked from commit 7a501c874f028f689c44999ab05bb0d39da46941)
+---
+ doc/ChangeLog | 3 +++
+ src/tls-gnu.c | 12 ++++++++----
+ test/log/5651 | 2 +-
+ test/log/5730 | 8 ++++----
+ 4 files changed, 16 insertions(+), 9 deletions(-)
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -39,6 +39,9 @@ JH/11 Harden plaintext authenticator aga
+ library routine (usually a crash). Found by "zerons".
+
+
++JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
++ verification result was not updated unless hosts_require_ocsp applied.
++
+
+ Exim version 4.92
+ -----------------
+--- a/src/tls-gnu.c
++++ b/src/tls-gnu.c
+@@ -2450,7 +2450,7 @@ if (!verify_certificate(state, errstr))
+ }
+
+ #ifndef DISABLE_OCSP
+-if (require_ocsp)
++if (request_ocsp)
+ {
+ DEBUG(D_tls)
+ {
+@@ -2474,10 +2474,14 @@ if (require_ocsp)
+ {
+ tlsp->ocsp = OCSP_FAILED;
+ tls_error(US"certificate status check failed", NULL, state->host, errstr);
+- return NULL;
++ if (require_ocsp)
++ return FALSE;
++ }
++ else
++ {
++ DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
++ tlsp->ocsp = OCSP_VFIED;
+ }
+- DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+- tlsp->ocsp = OCSP_VFIED;
+ }
+ #endif
+
HCoop / hcoop / debian / exim4.git / blobdiff