On 09/02/2016 14:36, Rainer Jung wrote:
> Hi Steve,
>
> thanks a lot for your review and comments. More inline.
>
> Am 09.02.2016 um 13:34 schrieb Dr Stephen Henson:
>> On 09/02/2016 10:20, Rainer Jung wrote:
>>>
>>> 3) ssl_engine_ocsp.c
>>>
>>> In modssl_verify_ocsp() the following code accesses the struct member
>>> "valid",
>>> for which currently no accessor function exists in 1.1.0:
>>>
>>> 268 else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
>>> 269 /* don't do OCSP checking for valid self-issued certs */
>>> 270 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
>>> 271 "Skipping OCSP check for valid self-issued cert");
>>> 272 X509_STORE_CTX_set_error(ctx, X509_V_OK);
>>> 273 return 1;
>>> 274 }
>>>
>>>
>>
>> It's not clear what that code is supposed to do. The check isn't for
>> "self-issued" because that would just require comparing the subject and
>> issuer
>> names it is actually checking for a self signed certificate.
>
>> Is it supposed to be skipping OCSP checking for a trusted root?
>
> The svn log message says "Don't do OCSP checks for valid self-issued certs".
> The
> change was discussed here
>
> http://marc.info/?t=129214629500002&r=1&w=2
>
> with some older discussion here
>
> http://marc.info/?t=119636863800005&r=1&w=2
>
> As far as I get it, it is meant as an optimization to skip OCSP in cases where
> it isn't needed or useful. But I'm far from being an expert here. Kaspar, who
> introduced it originally formulated "prevents mod_ssl from doing unnecessary
> OCSP checks (valid self-issued certs, i.e. trust anchors configured through
> SSLCACertificate{File,Path})".
>
> I'll CC Kaspar directly.
>
OK it looks like at that point the certificate has been verified anyway so you
don't gain anything by checking cert->valid.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
