From ef607050754981f4ed9280e96e94f77ce471fd68 Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <manu@gandi.net>
Date: Tue, 24 Oct 2017 14:57:16 +0200
Subject: [PATCH] BUG/MINOR: ssl: OCSP_single_get0_status can return -1

Commit 872085ce "BUG/MINOR: ssl: ocsp response with 'revoked' status is correct"
introduce a regression. OCSP_single_get0_status can return -1 and haproxy must
generate an error in this case.
Thanks to Sander Hoentjen who have spotted the regression.

This patch should be backported in 1.7, 1.6 and 1.5 if the patch above is
backported.
---
 src/ssl_sock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bb1d69156..2f16d2871 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -622,7 +622,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
 	id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
 
 	rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
-	if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
+	if (rc != V_OCSP_CERTSTATUS_GOOD && rc != V_OCSP_CERTSTATUS_REVOKED) {
 		memprintf(err, "OCSP single response: certificate status is unknown");
 		goto out;
 	}