Hey, On Thu, Jan 18, 2018 at 3:11 AM, Isaac Boukris <iboukris@gmail.com> wrote:
Hello,
Following up on the pull-request. The scenario I am testing is when a client issue a certificate from a sub-ca which is not trusted (ca_file only points to root CA). In such case, the client must send its issuer certificate along in order to complete the chain and get verified. This works ok, however the OCSP verification is skipped in such case because we fail get issuer certificate (even if softfail is no).
The first patch fix the above and treats this error as a soft failure. The second one attempts to get the issuer-certificate differently which works for this scenario (where the issuer isn't trusted).
Any thoughts on this? I can collect server debug of this flow, before and after the patches if it helps. Thanks!