On 2017/06/13 12:11, Daniel Stenberg wrote:
> On Tue, 13 Jun 2017, Stuart Henderson via curl-library wrote:
>
> > lib/vtls/openssl.c has a workaround for a bug with OCSP responses
> > signed by intermediate certs, this was fixed in LibreSSL in
> > https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0
> >
> > Would it be appropriate to adjust the #ifdef to avoid the workaround?
>
> It looks fine to me. I take it you've tested this code with a new enough
> libressl version and seen it working too?

I am able to connect to a site with a letsencrypt-signed cert with
--cacert pointing to a file containing only the DST Root CA. From what
I understand I think that should be a valid test.

$ curl -I --cacert /tmp/dst.pem --cert-status -v https://spacehopper.org/ 2>&1 | grep ^..SSL.cert
* SSL certificate status: good (0)

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-06-13