-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenCA Users List,
Today I discovered what seems to be a show-stopping bug -- it causes the ocspd daemon to seg fault and crash. When the responder is setup to respond to queries about RootA, one can test it from a local shell as follows: "openssl ocsp -url http://OCSP_SERVER:2560/ -issuer rootA.crt -serial 2 -text" where "2" is a number and "rootA.crt" is the public cert for the RootA root certificate. This behaves in the proper, expected manner. However, when one issues the command "openssl ocsp -url http://OCSP_SERVER:2560/ -issuer rootB.crt -serial 2 -text" where "rootB.crt" is a different root certificate, the following log entry is generated in the responder's syslog: > Dec 29 04:23:28 OCSP_SERVER ocspd[3202]: INFO::Connection from [MY_HOME_IP_ADDRESS] > Dec 29 04:23:28 OCSP_SERVER ocspd[3202]: request for certificate serial 2 > Dec 29 04:23:28 OCSP_SERVER ocspd[3202]: request for non reckognized CA [serial 2] Additionally, this information is displayed to the individual issuing the query: > [EMAIL PROTECTED]:~/Desktop/OcspTest$ openssl ocsp -url http://OCSP_RESPONDER:2560/ -issuer rootB.crt -serial 2 -text > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 8BA4C9CB172919453EBB8E730991B925F2832265 > Issuer Key Hash: 16B5321BD4C7F3E0E68EF3BDD2B03AEEB23918D1 > Serial Number: 02 > Request Extensions: > OCSP Nonce: > 041020DB2CB5363B668D6F54F13F4F848EFE > Error querying OCSP responsder > 7994:error:27070073:OCSP routines:OCSP_sendreq_bio:server response parse error:ocsp_ht.c:108: Finally, the responder segfaults and crashes. This is a Bad Thing(tm). This is a major issue, as a single malformed query can crash the responder. I'm sure you realize how critical this is. A few other relatively minor issues are also worth mentioning: - - "responsder" is mis-spelled in the error message sent back to the user doing the querying. - - "reckognized" is mis-spelled in the syslog. - - There is no instruction or other indication that "server_cert" is needed in the ocspd.conf file. The daemon refused to start and presented a cryptic error message in the syslog saying it was missing "server_cert" in "first_ca". Only through trial and error did I finally figure out what it's asking for. - - Is there any way to build a Debian package for distribution? Source always works, and RPMs are fine if you're running a Red Hat compatible system, but there's a lot of us Debian admin-types who want to run responders and like the convenience of packages for their ease of installation and clean removal. I could whip one up with checkinstall, if folks want, but that doesn't resolve any dependencies... I'm using the "openca-ocspd-1.5.2" source (I'm a volunteer with CAcert and they sent me the source so I could set up a US mirror for their OCSP responder) running on a Debian (Etch) system that's fully up-to-date. I've tested this with a few different root certificates playing the role of "rootB", all resulting in an identical error message and crash. System specs are as follows: - - OpenSSL 0.9.8c 05 Sep 2006 - - Kernel 2.6.18-53.1.4.el5xen - - openca-ocspd-1.5.2 (compiled from source with LDAP disabled) - - gcc 4.1.1-15 Can anyone else confirm this bug? Does it occur with 1.5.1-r1 as well? Cheers! - -Pete - -- Pete Stephenson HeyPete.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHdjglj/v4M4p5RgMRAu9JAJ0Ra4PzHxmKEZoXYdLd+QqN67WryQCgpa43 eyuCmvZYua0fw/3V1nyNitk= =QE6G -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
