@@ -2050,6 +2050,8 @@ check_revocation_ocsp() {
20502050 local -i success=1
20512051 local response=""
20522052 local host_header=""
2053+ local openssl_bin="$OPENSSL"
2054+ local addtl_warning=""
20532055
20542056 "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
20552057 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@@ -2079,6 +2081,17 @@ check_revocation_ocsp() {
20792081 success=$?
20802082 fi
20812083 else
2084+ if [[ $OPENSSL =~ openssl.Linux.$(uname -m) ]]; then
2085+ # --phone-out in some cases throws a segfault with "our" binary, probably because a static binary with
2086+ # NSS and gethostbyname(3) doesn't work under Linux. So we use the vendor supplied binary if available.
2087+ # See #2516 and probably also #2667 and #1275 .
2088+ if [[ -x "$OPENSSL2" ]]; then
2089+ openssl_bin="$OPENSSL2"
2090+ [[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
2091+ fi
2092+ else
2093+ addtl_warning="(a segfault indicates here you need to test this with another binary)"
2094+ fi
20822095 host_header=${uri##http://}
20832096 host_header=${host_header%%/*}
20842097 if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
@@ -2089,7 +2102,7 @@ check_revocation_ocsp() {
20892102 else
20902103 host_header="-header Host ${host_header}"
20912104 fi
2092- $OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \
2105+ $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
20932106 -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
20942107 -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
20952108 success=$?
@@ -2109,8 +2122,8 @@ check_revocation_ocsp() {
21092122 set_grade_cap "T" "Certificate revoked"
21102123 else
21112124 out ", "
2112- pr_warning "error querying OCSP responder"
2113- fileout "$jsonID" "WARN" "$response"
2125+ pr_warning "error querying OCSP responder $addtl_warning "
2126+ fileout "$jsonID" "WARN" "$response $addtl_warning "
21142127 if [[ $DEBUG -ge 2 ]]; then
21152128 outln
21162129 cat "$tmpfile"
0 commit comments