DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41123 ------- Additional Comments From [EMAIL PROTECTED] 2007-11-28 14:28 ------- (In reply to comment #39) > I was missing something. I was assuming the OCSP calls were being made *after* > the chain is validated instead of inside the verification callback. > > If you make OCSP calls inside the verification callback the chain may not be > fully trusted when you make the OCSP requests. This would allow a carefully > constructed certificate chain to persuade a server to make arbitrary OCSP > requests to any URL. Some would regard this as undesirable. If the cert being verified is not trusted the SSLVerify callback will get invoked with ok=0 though surely? (the OCSP code won't get invoked in that case, only if the cert *is* trusted) But I did find this confusing, anyway. Is it at all desirable to be doing OCSP validation of every cert in the chain, including whatever root CA? Marc, was the code written like this deliberately? It would be simple enough to only do the OCSP validation for the actual peer cert. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
