On 09/02/2016 14:36, Rainer Jung wrote: > Hi Steve, > > thanks a lot for your review and comments. More inline. > > Am 09.02.2016 um 13:34 schrieb Dr Stephen Henson: >> On 09/02/2016 10:20, Rainer Jung wrote: >>> >>> 3) ssl_engine_ocsp.c >>> >>> In modssl_verify_ocsp() the following code accesses the struct member >>> "valid", >>> for which currently no accessor function exists in 1.1.0: >>> >>> 268 else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { >>> 269 /* don't do OCSP checking for valid self-issued certs */ >>> 270 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, >>> 271 "Skipping OCSP check for valid self-issued cert"); >>> 272 X509_STORE_CTX_set_error(ctx, X509_V_OK); >>> 273 return 1; >>> 274 } >>> >>> >> >> It's not clear what that code is supposed to do. The check isn't for >> "self-issued" because that would just require comparing the subject and >> issuer >> names it is actually checking for a self signed certificate. > >> Is it supposed to be skipping OCSP checking for a trusted root? > > The svn log message says "Don't do OCSP checks for valid self-issued certs". > The > change was discussed here > > http://marc.info/?t=129214629500002&r=1&w=2 > > with some older discussion here > > http://marc.info/?t=119636863800005&r=1&w=2 > > As far as I get it, it is meant as an optimization to skip OCSP in cases where > it isn't needed or useful. But I'm far from being an expert here. Kaspar, who > introduced it originally formulated "prevents mod_ssl from doing unnecessary > OCSP checks (valid self-issued certs, i.e. trust anchors configured through > SSLCACertificate{File,Path})". > > I'll CC Kaspar directly. >
OK it looks like at that point the certificate has been verified anyway so you don't gain anything by checking cert->valid. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com