aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_client.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/tls/tls_client.cpp')
-rw-r--r--src/lib/tls/tls_client.cpp24
1 files changed, 22 insertions, 2 deletions
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 0e620a279..a1b71841d 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -386,7 +386,8 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
"Client: No certificates sent by server");
/*
- Certificate verification happens after we receive the server hello done,
+ If the server supports certificate status messages,
+ certificate verification happens after we receive the server hello done,
in case an OCSP response was also available
*/
@@ -412,6 +413,24 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
{
state.set_expected_next(CERTIFICATE_STATUS); // optional
}
+ else
+ {
+ try
+ {
+ auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
+
+ callbacks().tls_verify_cert_chain(server_certs,
+ {},
+ trusted_CAs,
+ Usage_Type::TLS_SERVER_AUTH,
+ m_info.hostname(),
+ policy());
+ }
+ catch(std::exception& e)
+ {
+ throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
+ }
+ }
}
else if(type == CERTIFICATE_STATUS)
{
@@ -459,7 +478,8 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
{
state.server_hello_done(new Server_Hello_Done(contents));
- if(state.server_certs() != nullptr)
+ if(state.server_certs() != nullptr &&
+ state.server_hello()->supports_certificate_status_message())
{
try
{