From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 7 Jan 2018 22:18:55 +0000 (+0000)
Subject: OpenSSL: fix OCSP stapling under DANE
X-Git-Tag: exim-4_91_RC1~109
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=6fbf35995e5eca4887f35031f20ca5e85f16ba25;p=exim.git

OpenSSL: fix OCSP stapling under DANE
---

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index e269854ff..a542d4db0 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -540,8 +540,21 @@ DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
 #endif
 
 if (preverify_ok == 1)
-  tls_out.dane_verified =
-  tls_out.certificate_verified = TRUE;
+  {
+  tls_out.dane_verified = tls_out.certificate_verified = TRUE;
+#ifndef DISABLE_OCSP
+  if (client_static_cbinfo->u_ocsp.client.verify_store)
+    {	/* client, wanting stapling  */
+    /* Add the server cert's signing chain as the one
+    for the verification of the OCSP stapled information. */
+
+    if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
+                             cert))
+      ERR_clear_error();
+    sk_X509_push(client_static_cbinfo->verify_stack, cert);
+    }
+#endif
+  }
 else
   {
   int err = X509_STORE_CTX_get_error(x509ctx);