diff --git a/contrib/src/opendht/SHA512SUMS b/contrib/src/opendht/SHA512SUMS
index d6400692c86766fb8fe646c8b05ecc29efa99853..ecfd0efedbb983c09e8a74d4d6ccecc8d33ca1fe 100644
--- a/contrib/src/opendht/SHA512SUMS
+++ b/contrib/src/opendht/SHA512SUMS
@@ -1 +1 @@
-948a4a0ede624d7604535040e88d74a559b9fd6d8509d5e98d2595110cfc810b1f062b3efca26cdf8b24ef79bdfeaca7c656d4c6b0a6536b5261da01c07a6cbc opendht-2.2.0rc2.tar.gz
\ No newline at end of file
+beb019785130c514d44d1861c9b0c17d383daae307cd08dba72bea881e91a14f8cf510862bc8969d27083c4b7d8a463423f38e9fb00fed4c0229a8d460914112 opendht-2.2.0rc4.tar.gz
\ No newline at end of file
diff --git a/contrib/src/opendht/package.json b/contrib/src/opendht/package.json
index defbb88e042578f4f09ee76e5fbaf8e5c1a85036..7367cff3dc5462b4dc85854347b859a15f1ca315 100644
--- a/contrib/src/opendht/package.json
+++ b/contrib/src/opendht/package.json
@@ -1,6 +1,6 @@
{
"name": "opendht",
- "version": "2.2.0rc2",
+ "version": "2.2.0rc4",
"url": "https://github.com/savoirfairelinux/opendht/archive/__VERSION__.tar.gz",
"deps": [
"argon2",
diff --git a/contrib/src/opendht/rules.mak b/contrib/src/opendht/rules.mak
index 4f32b0c7fda3b026d042ce8314d1ab693e89c2f7..71dfccf8067dd1bfa520fd2c4a89401e6d7e334e 100644
--- a/contrib/src/opendht/rules.mak
+++ b/contrib/src/opendht/rules.mak
@@ -1,5 +1,5 @@
# OPENDHT
-OPENDHT_VERSION := 2.2.0rc2
+OPENDHT_VERSION := 2.2.0rc4
OPENDHT_URL := https://github.com/savoirfairelinux/opendht/archive/$(OPENDHT_VERSION).tar.gz
PKGS += opendht
diff --git a/src/security/tls_session.cpp b/src/security/tls_session.cpp
index b0693f60718ba564906ccaa4f1788315019fa048..e2dcb1f29093787d1965c00166e255db6b239a2f 100644
--- a/src/security/tls_session.cpp
+++ b/src/security/tls_session.cpp
@@ -653,6 +653,8 @@ TlsSession::TlsSessionImpl::verifyCertificateWrapper(gnutls_session_t session)
verified = this_->callbacks_.verifyCertificate(session);
if (verified != GNUTLS_E_SUCCESS)
return verified;
+ } else {
+ verified = GNUTLS_E_SUCCESS;
}
/*
* Support only x509 format
@@ -679,7 +681,7 @@ TlsSession::TlsSessionImpl::verifyCertificateWrapper(gnutls_session_t session)
std::string ocspUrl = getOcspUrl(cert.cert);
if (ocspUrl.empty()) {
- JAMI_DBG("Skipping OCSP verification %s: AIA not found", cert.getUID().c_str());
+ // Skipping OCSP verification: AIA not found
return verified;
}
@@ -748,7 +750,7 @@ TlsSession::TlsSessionImpl::verifyOcsp(const std::string& aia_uri,
return;
}
JAMI_DBG("HTTP OCSP Request done!");
- unsigned int verify = 0;
+ gnutls_ocsp_cert_status_t verify = GNUTLS_OCSP_CERT_UNKNOWN;
try {
cert.ocspResponse = std::make_shared<dht::crypto::OcspResponse>(
(const uint8_t*) r.body.data(), r.body.size());
@@ -756,32 +758,24 @@ TlsSession::TlsSessionImpl::verifyOcsp(const std::string& aia_uri,
verify = cert.ocspResponse->verifyDirect(cert, nonce);
} catch (dht::crypto::CryptoException& e) {
JAMI_ERR("Failed to verify OCSP response: %s", e.what());
+ }
+ if (verify == GNUTLS_OCSP_CERT_UNKNOWN) {
+ // Soft-fail
if (cb)
- cb(GNUTLS_E_INVALID_REQUEST);
+ cb(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
return;
}
- if (verify == 0)
+ int status = GNUTLS_E_SUCCESS;
+ if (verify == GNUTLS_OCSP_CERT_GOOD) {
JAMI_DBG("OCSP verification success!");
- else
- JAMI_ERR("OCSP verification error!");
- if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
- JAMI_ERR("Signer cert not found");
- if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
- JAMI_ERR("Signer cert keyusage error");
- if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
- JAMI_ERR("Signer cert is not trusted");
- if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
- JAMI_ERR("Insecure algorithm");
- if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
- JAMI_ERR("Signature failure");
- if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
- JAMI_ERR("Signer cert not yet activated");
- if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
- JAMI_ERR("Signer cert expired");
+ } else {
+ status = GNUTLS_E_CERTIFICATE_ERROR;
+ JAMI_ERR("OCSP verification: certificate is revoked!");
+ }
// Save response into the certificate store
tls::CertificateStore::instance().pinOcspResponse(cert);
if (cb)
- cb(verify);
+ cb(status);
});
}