Facundo Tuesca

Since this could not be reproduced and the CI tests have been working, I think it can be closed @alex @mhils

This was fixed by https://github.com/pyca/pyopenssl/pull/967 and can now be closed. cc @reaperhulk @mhils

While the above answer is a good example of how to validate a stapled OCSP response on the client side, I believe the original question was about how to implement...

To add to the answer above, the `NO_RENEGOTIATION` constant is also provided by PyOpenSSL: ```python from OpenSSL import SSL ctx.set_options(SSL.OP_NO_RENEGOTIATION) ``` @mhils I think this one can be closed

This flag is now exposed in `X509StoreFlags.PARTIAL_CHAIN`. Here's an example: ```python from OpenSSL.crypto import X509Store, X509StoreFlags store = X509Store() store.set_flags(X509StoreFlags.PARTIAL_CHAIN) ``` @alex @mhils This can be closed now

This is possible using [`X509Store::set_flags()`](https://www.pyopenssl.org/en/latest/api/crypto.html#OpenSSL.crypto.X509Store.set_flags): ```python from OpenSSL.crypto import X509Store, X509StoreFlags store = X509Store() store.set_flags(X509StoreFlags.PARTIAL_CHAIN) ``` @mhils I think this one can be closed

Taking into account @reaperhulk answer: > In that case it's just using the standard system verification, so any failure suggests that there's **an issue with either the actual server certificate**...

This has been fixed in https://github.com/pyca/pyopenssl/commit/41ceefb0f81d6ac056e9d84e47de57191e067b8e, and can now be closed. cc @reaperhulk

@alex I also added an item to the CHANGELOG

@OrkoHunter Would it be possible to yank this vulnerable version (`1.2`) from PyPI, to prevent the issue described above?