We need to allow for either a CERTIFICATE or CERTIFICATE_STATUS message

here or we break the handshake with BAD_MESSAGE ok tb@
author: beck <> 2021-09-02 14:41:03 +0000
committer: beck <> 2021-09-02 14:41:03 +0000
commit: 35f39be7bcee252b94261cea09e50dac5eba4f29 (patch)
tree: d296dcd883d62acb247cc187aa224b7b7db025c8 /src/lib
parent: cabd06e4e9d5e5f974e375ae0ad65292062917af (diff)
download: openbsd-35f39be7bcee252b94261cea09e50dac5eba4f29.tar.gz
openbsd-35f39be7bcee252b94261cea09e50dac5eba4f29.tar.bz2
openbsd-35f39be7bcee252b94261cea09e50dac5eba4f29.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 7ceb866573..e27a0735b6 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.109 2021/09/02 08:51:56 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.110 2021/09/02 14:41:03 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1872,7 +1872,8 @@ ssl3_get_cert_status(SSL *s)
                return (1);
        }
-        if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
+        if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE &&
+            S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
                SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
                goto fatal_err;
author	beck <>	2021-09-02 14:41:03 +0000
committer	beck <>	2021-09-02 14:41:03 +0000
commit	35f39be7bcee252b94261cea09e50dac5eba4f29 (patch)
tree	d296dcd883d62acb247cc187aa224b7b7db025c8 /src/lib
parent	cabd06e4e9d5e5f974e375ae0ad65292062917af (diff)
download	openbsd-35f39be7bcee252b94261cea09e50dac5eba4f29.tar.gz openbsd-35f39be7bcee252b94261cea09e50dac5eba4f29.tar.bz2 openbsd-35f39be7bcee252b94261cea09e50dac5eba4f29.zip