On 17/01/2011 13:39, Joe Orton wrote: > On Sun, Jan 16, 2011 at 11:34:29AM +0100, Kaspar Brand wrote: >> On 13.12.2010 15:24, Jim Jagielski wrote: >>> At this late in the game, I would prefer to do this post-2.3.10... >>> safer that way. >> >> Polite reminder, according to [1]... :-) I feel it's important because >> it addresses PR 49784 and a few additional improvements for the OCSP >> checking code (for client auth). >> >> Patch v2 from December is attached again, for the sake of easier reference. > > Thanks a lot for the patch & the prod... > > I've merged the config options changes with some minor tweaks (OpenSSL > seems to stomp on the OCSP_* namespace so I renamed the macros): > > http://svn.apache.org/viewvc?rev=1059917&view=rev > > w.r.t. the change to skip OCSP validation for valid self-signed certs, I > brought this up a while back: > > http://www.mail-archive.com/[email protected]/msg38849.html > > and Stephen said it probably be configurable. Has common practice > evolved here such that hard-coding the less strict behaviour is > reasonable? >
I still believe it should be configurable. A root CA can be revoked for a number of reasons although key compromise has security issues if the responder certificate is part of the chain (i.e. cases #1 and #2 in that message). Apache OCSP AFAIK currently doesn't handle case #3 at all (trusting responders with keys trusted by some out of band means). There is a fix/enhancement for this (which also addresses the issue Steve Marquess brought up) in PR46037. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
