From 35f39be7bcee252b94261cea09e50dac5eba4f29 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Thu, 2 Sep 2021 14:41:03 +0000
Subject: We need to allow for either a CERTIFICATE or CERTIFICATE_STATUS
 message here or we break the handshake with BAD_MESSAGE

ok tb@
---
 src/lib/libssl/ssl_clnt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 7ceb866573..e27a0735b6 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.109 2021/09/02 08:51:56 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.110 2021/09/02 14:41:03 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1872,7 +1872,8 @@ ssl3_get_cert_status(SSL *s)
 		return (1);
 	}
 
-	if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
+	if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE &&
+	    S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) {
 		al = SSL_AD_UNEXPECTED_MESSAGE;
 		SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
 		goto fatal_err;
-- 
cgit v1.2.3-55-g6feb