Don't do OCSP validation when we have disabled certificate verification

or certificate validation.
ok jsing@

2 files changed, 8 insertions, 5 deletions

diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3
index 06634efa6fb..d0b6292b4ab 100644
--- a/lib/libtls/tls_init.3
+++ b/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.75 2016/11/02 18:26:14 jmc Exp $
+.\" $OpenBSD: tls_init.3,v 1.76 2016/11/03 12:54:16 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 2 2016 $
+.Dd $Mdocdate: November 3 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -445,7 +445,7 @@ the default.
 clears any secret keys from memory.
 .It
 .Fn tls_config_insecure_noverifycert
-disables certificate verification.
+disables certificate verification and OCSP validation.
 Be extremely careful when using this option.
 .It
 .Fn tls_config_insecure_noverifyname
@@ -453,7 +453,7 @@ disables server name verification (client only).
 Be careful when using this option.
 .It
 .Fn tls_config_insecure_noverifytime
-disables validity checking of certificates.
+disables validity checking of certificates and OCSP validation.
 Be careful when using this option.
 .It
 .Fn tls_config_verify
diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c
index a30e363e6ed..aa085bd245f 100644
--- a/lib/libtls/tls_ocsp.c
+++ b/lib/libtls/tls_ocsp.c
@@ -309,8 +309,11 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg)
 
 	tls_ocsp_ctx_free(ctx->ocsp_ctx);
 	ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx);
-	if (ctx->ocsp_ctx != NULL)
+	if (ctx->ocsp_ctx != NULL) {
+		if (ctx->config->verify_cert == 0 || ctx->config->verify_time == 0)
+			return 1;
 		res = tls_ocsp_process_response_internal(ctx, raw, size);
+	}
 
 	return (res == 0) ? 1 : 0;
 }