@@ -1835,7 +1835,7 @@ check_revocation_ocsp() {
18351835 local host_header=""
18361836 local openssl_bin="$OPENSSL"
18371837 local addtl_warning=""
1838- local smartswitch=false
1838+ local ossl_name="$OSSL_NAME" ossl_ver="$OSSL_VER"
18391839
18401840 "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
18411841 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@@ -1857,10 +1857,12 @@ check_revocation_ocsp() {
18571857 if [[ $OPENSSL =~ openssl.Linux.$(uname -m) ]]; then
18581858 # --phone-out doesn't lawyas work with "our" binary. We use just for that purpose
18591859 # the vendor supplied binary if available, see #2516 and probably also #2667 and #1275
1860- if [[ -x "$OPENSSL2" ]]; then
1861- openssl_bin="$OPENSSL2"
1862- smartswitch=true
1860+ if [[ -x "/usr/bin/openssl" ]]; then
1861+ openssl_bin="/usr/bin/openssl"
18631862 [[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
1863+ ossl_ver="$($openssl_bin version -v 2>/dev/null)"
1864+ ossl_name="${ossl_ver%% *}"
1865+ ossl_ver="${ossl_ver#$ossl_name }"
18641866 fi
18651867 else
18661868 addtl_warning="(a segfault indicates here you need to test this with another binary)"
@@ -1871,16 +1873,9 @@ check_revocation_ocsp() {
18711873 # The following is the default (like "-header Host r11.o.lencr.org")
18721874 host_header="-header Host ${host_header}"
18731875
1874- if "$smartswitch" ; then
1875- case $(openssl version -v | awk -F' ' '{ print $2 }') in
1876- # for those versions it's "-header Host=r11.o.lencr.org"
1877- 3.*|1.1*) host_header=${host_header/Host /Host=} ;;
1878- esac
1879- else
1880- case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
1881- 3.*|1.1*) host_header=${host_header/Host /Host=} ;;
1882- esac
1883- fi
1876+ case "$ossl_ver" in
1877+ 3.*|1.1*) [[ ! "$ossl_name" =~ LibreSSL ]] && host_header=${host_header/Host /Host=} ;;
1878+ esac
18841879
18851880 $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
18861881 -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
0 commit comments