From 94fb33bb8856973748d4377e0f3cdf3a8c2f27c3 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Mon, 31 Mar 2014 14:53:15 +0200
Subject: revocation: Log error if no OCSP signer candidate found

Fixes evaluation of ikev2/ocsp-untrusted-cert.
---
 src/libstrongswan/plugins/revocation/revocation_validator.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/libstrongswan/plugins/revocation/revocation_validator.c')

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index eb9065fb3..9fd5b2a22 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -118,7 +118,6 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
 		{	/* OCSP signer currently invalid */
 			continue;
 		}
-		found = TRUE;
 		if (!ca->equals(ca, issuer))
 		{	/* delegated OCSP signer? */
 			if (!lib->credmgr->issued_by(lib->credmgr, issuer, ca, NULL))
@@ -130,6 +129,7 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
 				continue;
 			}
 		}
+		found = TRUE;
 		if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
 		{
 			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
-- 
cgit v1.2.3