Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 477) +++ SSLeay.xs (working copy) @@ -5916,7 +5916,7 @@ if (X509_check_issued(cert,cert) == X509_V_OK) croak("no OCSP request for self-signed certificate"); if (!(issuer = find_issuer(cert,store,chain))) - croak("cannot find issuer to certificate"); + croak("cannot find issuer certificate"); if (!(id = OCSP_cert_to_id(EVP_sha1(),cert,issuer))) croak("out of memory for generating OCSO certid"); if (!(len = i2d_OCSP_CERTID(id,NULL))) @@ -6011,7 +6011,7 @@ X509 *issuer; X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1); if ( (issuer = find_issuer(last,store,chain))) { - OCSP_basic_add1_cert(bsr, X509_dup(issuer)); + OCSP_basic_add1_cert(bsr, issuer); TRACE(1,"run OCSP_basic_verify with issuer for last chain element"); RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); } @@ -6058,11 +6058,8 @@ goto end; } int first = OCSP_resp_find(bsr, certid, -1); /* Find the first matching */ - if (first >= 0) - { - sir = OCSP_resp_get0(bsr,first); - break; - } + if (first >= 0) + sir = OCSP_resp_get0(bsr,first); } int status, revocationReason; @@ -6073,7 +6070,8 @@ status = OCSP_single_get0_status(sir, &revocationReason, &revocationTime, &thisupdate, &nextupdate); #else status = sir->certStatus->type; - revocationTime = sir->certStatus->value.revoked->revocationTime; + if (status == V_OCSP_CERTSTATUS_REVOKED) + revocationTime = sir->certStatus->value.revoked->revocationTime; thisupdate = sir->thisUpdate; nextupdate = sir->nextUpdate; #endif Index: t/external/ocsp.t =================================================================== --- t/external/ocsp.t (revision 477) +++ t/external/ocsp.t (working copy) @@ -14,17 +14,17 @@ my @tests = ( { # this should give us OCSP stapling - host => 'www.live.com', + host => 'www.microsoft.com', port => 443, - fingerprint => '10c56ee9e2acaf2e77caeb7072bf6522dd7422b8', + fingerprint => '5f0b37e633840ca02468552ea3b1197e5e118f7b', ocsp_staple => 1, expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { - # no OCSP stapling yet - host => 'www.google.com', + # no OCSP stapling + host => 'www.spiegel.de', port => 443, - fingerprint => '007a5ab302f14446e2ea24d3a829de22ba1bf950', + fingerprint => 'ad737048455485d8c817b7d0f7403553a7b9f65b', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { @@ -31,12 +31,13 @@ # this is revoked host => 'revoked.grc.com', port => 443, - fingerprint => '34703c40093461ad3ce087e161c7b7f42abe770c', + fingerprint => '310665f4c8e78db761c764e798dca66047341264', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_REVOKED(), }, ); -plan tests => 0+@tests; +my $release_tests = $ENV{RELEASE_TESTING} ? 1:0; +plan tests => $release_tests + @tests; my $timeout = 10; # used to TCP connect and SSL connect @@ -48,8 +49,9 @@ Net::SSLeay::SSLeay_add_ssl_algorithms(); my $sha1 = Net::SSLeay::EVP_get_digestbyname('sha1'); + +my @fp_mismatch; TEST: - for my $test (@tests) { my $cleanup = __cleanup__->new; SKIP: { @@ -114,8 +116,11 @@ my $fp = $leaf_cert && unpack("H*",Net::SSLeay::X509_digest($leaf_cert,$sha1)); skip "could not get fingerprint",1 if !$fp; - skip "bad fingerprint $fp for $test->{host}:$test->{port}",1 - if $fp ne $test->{fingerprint}; + if ($fp ne $test->{fingerprint}) { + push @fp_mismatch, [ $fp,$test ]; + skip("bad fingerprint for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp",1) + } diag("fingerprint matches"); if ( $test->{ocsp_staple} && ! $stapled_response ) { @@ -225,6 +230,19 @@ } } +if ($release_tests) { + if (!@fp_mismatch) { + pass("all fingerprints matched"); + } else { + for(@fp_mismatch) { + my ($fp,$test) = @$_; + diag("fingerprint mismatch for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp") + } + fail("some fingerprints did not matched - please adjust test"); + } +} + { # cleanup stuff when going out of scope package __cleanup__;