The legacy client OCSP callback should run without server OCSP.
It's conditioned in OpenSSL on client offer, not server accept.
Change-Id: Iae5483a33d9365258446ce0ae34132aeb4a92c66
Reviewed-on: https://boringssl-review.googlesource.com/28545
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/handshake.cc b/ssl/handshake.cc
index 9cad971..bd304eb 100644
--- a/ssl/handshake.cc
+++ b/ssl/handshake.cc
@@ -367,7 +367,7 @@
// Emulate OpenSSL's client OCSP callback. OpenSSL verifies certificates
// before it receives the OCSP, so it needs a second callback for OCSP.
if (ret == ssl_verify_ok && !ssl->server &&
- hs->new_session->ocsp_response != nullptr &&
+ hs->config->ocsp_stapling_enabled &&
ssl->ctx->legacy_ocsp_callback != nullptr) {
int cb_ret =
ssl->ctx->legacy_ocsp_callback(ssl, ssl->ctx->legacy_ocsp_callback_arg);
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 7e9a6ef..3d8a6b0 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4841,8 +4841,8 @@
expectedLocalError: expectedLocalError,
expectedError: ":OCSP_CB_ERROR:",
})
- // The callback does not run if the server does not send an
- // OCSP response.
+ // The callback still runs if the server does not send an OCSP
+ // response.
certNoStaple := rsaCertificate
certNoStaple.OCSPStaple = nil
tests = append(tests, testCase{
@@ -4858,6 +4858,9 @@
"-use-ocsp-callback",
"-fail-ocsp-callback",
},
+ shouldFail: true,
+ expectedLocalError: expectedLocalError,
+ expectedError: ":OCSP_CB_ERROR:",
})
// The server OCSP callback is a legacy mechanism for
