@@ -2052,7 +2052,7 @@ check_revocation_ocsp() {
20522052 local host_header=""
20532053 local openssl_bin="$OPENSSL"
20542054 local addtl_warning=""
2055- local smartswitch=false
2055+ local ossl_name="$OSSL_NAME" ossl_ver="$OSSL_VER" ossl_ver_major="$OSSL_VER_MAJOR"
20562056
20572057 "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
20582058 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@@ -2088,8 +2088,12 @@ check_revocation_ocsp() {
20882088 # See #2516 and probably also #2667 and #1275 .
20892089 if [[ -x "$OPENSSL2" ]]; then
20902090 openssl_bin="$OPENSSL2"
2091- smartswitch=true
20922091 [[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
2092+ ossl_ver="$($openssl_bin version -v 2>/dev/null)"
2093+ ossl_name="${ossl_ver%% *}"
2094+ ossl_ver="${ossl_ver#$ossl_name }"
2095+ ossl_ver="${ossl_ver%% *}"
2096+ ossl_ver_major="${ossl_ver%%\.*}"
20932097 fi
20942098 else
20952099 addtl_warning="(a segfault indicates here you need to test this with another binary)"
@@ -2100,15 +2104,8 @@ check_revocation_ocsp() {
21002104 # The following is the default (like "-header Host r11.o.lencr.org")
21012105 host_header="-header Host ${host_header}"
21022106
2103- if "$smartswitch" ; then
2104- case $(openssl version -v | awk -F' ' '{ print $2 }') in
2105- # for those versions it's "-header Host=r11.o.lencr.org"
2106- 3.*|1.1*) host_header=${host_header/Host /Host=} ;;
2107- esac
2108- else
2109- case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
2110- 3.*|1.1*) host_header=${host_header/Host /Host=} ;;
2111- esac
2107+ if [[ "$ossl_ver" == 1.1.* ]] || [[ $ossl_ver_major -ge 3 ]]; then
2108+ [[ ! "$ossl_name" =~ LibreSSL ]] && host_header=${host_header/Host /Host=}
21122109 fi
21132110 $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
21142111 -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
0 commit comments