diff options
-rw-r--r-- | src/ocsptool-args.def | 6 | ||||
-rw-r--r-- | src/ocsptool.c | 8 |
2 files changed, 12 insertions, 2 deletions
diff --git a/src/ocsptool-args.def b/src/ocsptool-args.def index c293863bc7..8ef8ba859f 100644 --- a/src/ocsptool-args.def +++ b/src/ocsptool-args.def @@ -30,6 +30,12 @@ flag = { }; flag = { + name = verify-allow-broken; + descrip = "Allow broken algorithms, such as MD5 for verification"; + doc = "This can be combined with --verify-response."; +}; + +flag = { name = request-info; value = i; descrip = "Print information on a OCSP request"; diff --git a/src/ocsptool.c b/src/ocsptool.c index 525108d425..480f9b0383 100644 --- a/src/ocsptool.c +++ b/src/ocsptool.c @@ -47,6 +47,7 @@ static const char *outfile_name = NULL; /* to delete on exit */ FILE *infile; static unsigned int encoding; unsigned int verbose = 0; +static unsigned int vflags = 0; const char *get_pass(void) { @@ -339,7 +340,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, fprintf(stdout, "Loaded %d trust anchors\n", x509_ncas); - ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); + ret = gnutls_ocsp_resp_verify(resp, list, &verify, vflags); if (ret < 0) { fprintf(stderr, "gnutls_ocsp_resp_verify: %s\n", gnutls_strerror(ret)); @@ -367,7 +368,7 @@ static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, - 0); + vflags); if (ret < 0) { fprintf(stderr, "\nVerifying OCSP Response: %s\n", @@ -588,6 +589,9 @@ int main(int argc, char **argv) gnutls_global_set_log_function(tls_log_func); gnutls_global_set_log_level(OPT_VALUE_DEBUG); + if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) + vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; + if (HAVE_OPT(OUTFILE)) { outfile = fopen(OPT_ARG(OUTFILE), "wb"); if (outfile == NULL) { |