diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-29 14:28:29 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-29 14:37:36 +0200 |
| commit | 4a564070854239c87bf5d7883d344cf747ac2e00 (patch) | |
| tree | f3211168a9354810dee375761102f7a32db1b93d | |
| parent | 98960b32022682a44cf6c5c22acfbb62b0fda0b3 (diff) | |
| download | gnutls-4a564070854239c87bf5d7883d344cf747ac2e00.tar.gz | |
gnutls-cli: save OCSP response at the time certificate is saved
That ensures that we always save the OCSP response, even when certificate
verification fails.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | src/cli.c | 25 |
1 files changed, 17 insertions, 8 deletions
@@ -431,6 +431,7 @@ static int cert_verify_callback(gnutls_session_t session) int dane = ENABLED_OPT(DANE); int ca_verify = ENABLED_OPT(CA_VERIFICATION); const char *txt_service; + gnutls_datum_t oresp; /* On an session with TOFU the PKI/DANE verification * become advisory. @@ -440,10 +441,26 @@ static int cert_verify_callback(gnutls_session_t session) ssh = strictssh; } + /* Save certificate and OCSP response */ if (HAVE_OPT(SAVE_CERT)) { try_save_cert(session); } + rc = gnutls_ocsp_status_request_get(session, &oresp); + if (rc < 0) { + oresp.data = NULL; + oresp.size = 0; + } + + if (HAVE_OPT(SAVE_OCSP) && oresp.data) { + FILE *fp = fopen(OPT_ARG(SAVE_OCSP), "w"); + + if (fp != NULL) { + fwrite(oresp.data, 1, oresp.size, fp); + fclose(fp); + } + } + print_cert_info(session, verbose, print_cert); if (ca_verify) { @@ -1153,14 +1170,6 @@ print_other_info(gnutls_session_t session) fputs((char*)p.data, stdout); } - if (HAVE_OPT(SAVE_OCSP) && oresp.data) { - FILE *fp = fopen(OPT_ARG(SAVE_OCSP), "w"); - - if (fp != NULL) { - fwrite(oresp.data, 1, oresp.size, fp); - fclose(fp); - } - } } static void flush_socket(socket_st *hd, unsigned ms) |