Merge pull request #8115 from miyazakh/ocsp_tls13_client

Check Intermediate cert OCSP when using tls1.3 for client side
2025-07-29 18:27:29 +02:00 · 2024-10-31 11:13:01 +10:00
parent 4b8c9bbb6d 79a9e0a709
commit 89d2964320
1 changed files with 7 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -15232,7 +15232,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                        else /* skips OCSP and force CRL check */
                    #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
                    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST)
-                        if (IsAtLeastTLSv1_3(ssl->version)) {
+                        if (IsAtLeastTLSv1_3(ssl->version) &&
+                            ssl->options.side == WOLFSSL_CLIENT_END &&
+                            ssl->status_request) {
+                            /* We check CSR in Certificate message sent from
+                             * Server. Server side will check client
+                             * certificates by traditional OCSP if enabled
+                             */
                            ret = TLSX_CSR_InitRequest_ex(ssl->extensions,
                                    args->dCert, ssl->heap, args->certIdx);
                        }