Dennis, just to confirm ... is this build ocsp enabled, or entirely absent and yet presenting the ocsp help in absence of the feature?
On Sun, Oct 14, 2018 at 4:38 PM Dennis Clarke <dcla...@blastwave.org> wrote: > On 10/14/2018 05:14 PM, Rainer Jung wrote: > > Am 14.10.2018 um 22:58 schrieb William A Rowe Jr: > >> On Sun, Oct 14, 2018 at 3:50 PM Rainer Jung <rainer.j...@kippdata.de > >> <mailto:rainer.j...@kippdata.de>> wrote: > >> > >> > >> And Jim already set "With 1.1.1, both return 1, but so what, we know > >> that it has oscp." > >> > >> > >> That, of course, is nonsense. > >> > >> OpenSSL is malleable... with numerous no-{feature} choice, we really > >> shouldn't > >> presume presence of features by OpenSSL version. Otherwise, why wouldn't > >> we simply use a regex against `openssl version`? > > > > Agreed, looking at the code it seems that starting with 1.1.0 (I only > > checked 1.1.0i) ocsp can be disabled with no-ocsp. > > > > As a red herring that illustrates how oddball the situation could get : > > $ /usr/sfw/bin/openssl version 2>&1 | cut -f1 -d\( > OpenSSL 0.9.7d 17 Mar 2004 > > $ /usr/sfw/bin/openssl ocsp > /dev/null > OCSP utility > Usage ocsp [options] > where options are > -out file output filename > -issuer file issuer certificate > -cert file certificate to check > -serial n serial number to check > -signer file certificate to sign OCSP request with > -signkey file private key to sign OCSP request with > -sign_other file additional certificates to include in signed request > -no_certs don't include any certificates in signed request > -req_text print text form of request > -resp_text print text form of response > -text print text form of request and response > -reqout file write DER encoded OCSP request to "file" > -respout file write DER encoded OCSP reponse to "file" > -reqin file read DER encoded OCSP request from "file" > -respin file read DER encoded OCSP reponse from "file" > -nonce add OCSP nonce to request > -no_nonce don't add OCSP nonce to request > -url URL OCSP responder URL > -host host:n send OCSP request to host on port n > -path path to use in OCSP request > -CApath dir trusted certificates directory > -CAfile file trusted certificates file > -VAfile file validator certificates file > -validity_period n maximum validity discrepancy in seconds > -status_age n maximum status age in seconds > -noverify don't verify response at all > -verify_other file additional certificates to search for signer > -trust_other don't verify additional certificates > -no_intern don't search certificates contained in response for > signer > -no_signature_verify don't check signature on response > -no_cert_verify don't check signing certificate > -no_chain don't chain verify response > -no_cert_checks don't do additional checks on signing certificate > -port num port to run responder on > -index file certificate status index file > -CA file CA certificate > -rsigner file responder certificate to sign responses with > -rkey file responder key to sign responses with > -rother file other certificates to include in response > -resp_no_certs don't include any certificates in response > -nmin n number of minutes before next update > -ndays n number of days before next update > -resp_key_id identify reponse by signing certificate key ID > -nrequest n number of requests to accept (default unlimited) > Segmentation Fault(coredump) > $ > > So, the situation can get out of hand quickly. > > Dennis > > ps: I am on the sidelines reading *all* of this and wondering ... >
