Move no status notification to ssl_check_serverhello_tlsext() to ensure
no status is notified even if no server extensions are present.
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 476e424..b0b5687 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -992,35 +992,6 @@
}
}
- /* If we've requested certificate status and we wont get one
- * tell the callback
- */
- if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
- && s->ctx->tlsext_status_cb)
- {
- int r;
- /* Set resp to NULL, resplen to -1 so callback knows
- * there is no response.
- */
- if (s->tlsext_ocsp_resp)
- {
- OPENSSL_free(s->tlsext_ocsp_resp);
- s->tlsext_ocsp_resp = NULL;
- }
- s->tlsext_ocsp_resplen = -1;
- r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
- if (r == 0)
- {
- *al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
- return 0;
- }
- if (r < 0)
- {
- *al = SSL_AD_INTERNAL_ERROR;
- return 0;
- }
- }
-
*p = data;
return 1;
}
@@ -1340,6 +1311,35 @@
}
#endif
+ /* If we've requested certificate status and we wont get one
+ * tell the callback
+ */
+ if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
+ && s->ctx->tlsext_status_cb)
+ {
+ int r;
+ /* Set resp to NULL, resplen to -1 so callback knows
+ * there is no response.
+ */
+ if (s->tlsext_ocsp_resp)
+ {
+ OPENSSL_free(s->tlsext_ocsp_resp);
+ s->tlsext_ocsp_resp = NULL;
+ }
+ s->tlsext_ocsp_resplen = -1;
+ r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+ if (r == 0)
+ {
+ al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ if (r < 0)
+ {
+ al = SSL_AD_INTERNAL_ERROR;
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ }
+
switch (ret)
{
case SSL_TLSEXT_ERR_ALERT_FATAL:
