From 703cde656ae315f4314348b60e9b2fc02a42f0dc Mon Sep 17 00:00:00 2001
From: beck <>
Date: Tue, 19 May 2020 02:16:16 +0000
Subject: Only send ocsp staples if the client asked for ocsp certificate
 status. noticed by dlg@ on www.openbsd.org with curl.

ok dlg@
---
 src/lib/libssl/ssl_tlsext.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 1ec8ac00ef..8949dc3a26 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.69 2020/05/19 01:30:34 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.70 2020/05/19 02:16:16 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -910,6 +910,7 @@ int
 tlsext_ocsp_server_needs(SSL *s)
 {
 	if (s->version >= TLS1_3_VERSION &&
+	    s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
 	    s->ctx->internal->tlsext_status_cb != NULL) {
 		s->internal->tlsext_status_expected = 0;
 		if (s->ctx->internal->tlsext_status_cb(s,
-- 
cgit v1.2.3-55-g6feb