@@ -1835,6 +1835,7 @@ check_revocation_ocsp() {
18351835 local host_header=""
18361836 local openssl_bin="$OPENSSL"
18371837 local addtl_warning=""
1838+ local smartswitch=false
18381839
18391840 "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
18401841 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@@ -1858,21 +1859,29 @@ check_revocation_ocsp() {
18581859 # the vendor supplied binary if available, see #2516 and probably also #2667 and #1275
18591860 if [[ -x "$OPENSSL2" ]]; then
18601861 openssl_bin="$OPENSSL2"
1862+ smartswitch=true
18611863 [[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
18621864 fi
18631865 else
18641866 addtl_warning="(a segfault indicates here you need to test this with another binary)"
18651867 fi
18661868 host_header=${uri##http://}
18671869 host_header=${host_header%%/*}
1868- if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
1869- host_header="-header Host ${host_header}"
1870- elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \
1871- [[ $OSSL_VER_MAJOR == 3 ]]; then
1872- host_header="-header Host=${host_header}"
1870+
1871+ # The following is the default (like "-header Host r11.o.lencr.org")
1872+ host_header="-header Host ${host_header}"
1873+
1874+ if "$smartswitch" ; then
1875+ case $(openssl version -v | awk -F' ' '{ print $2 }') in
1876+ # for those versions it's "-header Host=r11.o.lencr.org"
1877+ 3.*|1.1*) host_header=${host_header/Host /Host=} ;;
1878+ esac
18731879 else
1874- host_header="-header Host ${host_header}"
1880+ case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
1881+ 3.*|1.1*) host_header=${host_header/Host /Host=} ;;
1882+ esac
18751883 fi
1884+
18761885 $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
18771886 -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
18781887 -CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
0 commit comments