From 95549de0275fa12376c9d0a1c5d8d71a1126d194 Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Tue, 26 May 2026 09:48:47 +0200
Subject: [PATCH] ossl: avoid caching OCSP responses past nextUpdate

---
 runtime/net_ossl.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/runtime/net_ossl.c b/runtime/net_ossl.c
index 697832153..f41ebac0e 100644
--- a/runtime/net_ossl.c
+++ b/runtime/net_ossl.c
@@ -1761,6 +1761,7 @@ static int ocsp_check_validate_response_and_cert(OCSP_RESPONSE *rsp,
     /* Store result in cache */
     char *cache_key = ocsp_make_cache_key(cert, issuer);
     if (cache_key) {
+        int should_cache = 1;
         time_t cache_ttl = OCSP_CACHE_DEFAULT_TTL;
         /* Use nextUpdate if available for more accurate cache expiry */
         if (nextupd) {
@@ -1771,12 +1772,19 @@ static int ocsp_check_validate_response_and_cert(OCSP_RESPONSE *rsp,
                 time_t seconds_until_expiry = (pday * 86400) + psec;
                 if (seconds_until_expiry > 0) {
                     cache_ttl = seconds_until_expiry;
+                } else {
+                    /* avoid caching stale responses accepted only via OCSP leeway */
+                    should_cache = 0;
                 }
             } else {
                 dbgprintf("OCSP: ASN1_TIME_diff() failed, using default TTL\n");
             }
         }
-        ocsp_cache_store(cache_key, status, cache_ttl);
+        if (should_cache) {
+            ocsp_cache_store(cache_key, status, cache_ttl);
+        } else {
+            dbgprintf("OCSP: nextUpdate is not in the future, skipping cache store\n");
+        }
         free(cache_key);
     }