A successfully fetched but unusable OCSP response prevents fetching other OCSP responses

[atmenta]

ocsp_client.fetch returns the first successfully fetched OCSP response:

https://github.com/wbond/certvalidator/blob/5bc5c390c1955195507c23db91b8926bb03f7385/certvalidator/ocsp_client.py#L90-L107

This is the only response which is available for callers: ValidationContext.retrieve_ocsps and in turn validate.verify_ocsp_response. Processing of the response happens in the latter of those. If the revocation status of the certificate can not be determined successfully from that response, at that point there is no way to fetch a new OCSP response, even if that response was not fetched from the last URL from cert.ocsp_urls (i.e. there are more URLs which could be used to fetch OCSP responses from).

To potentially utilize responses from all OCSP responders referenced by the certificate without wastefully fetching responses which later may prove to be unneeded, one could refactor ocsp_client.fetch and ValidationContext.retrieve_ocsps to become generators yielding "a list of" OCSP responses one by one.

[wbond]

Yes, it does seem that currently it will short circuit and fail if for some reason the first OCSP response is invalid.