Re: cvs commit: openssl/ssl s3_lib.c ssl.h ssl_algs.cssl_ciph.cssl_locl.h tls1.h

Thu, 08 Feb 2001 08:50:43 -0800 

Richard Levitte - VMS Whacker wrote:
> 
> From: "Florian Oelmaier" <[EMAIL PROTECTED]>
> Subject: RE: cvs commit: openssl/ssl s3_lib.c ssl.h ssl_algs.c ssl_ciph.cssl_locl.h 
>tls1.h
> Date: Thu, 8 Feb 2001 16:43:31 +0100
> Message-ID: <[EMAIL PROTECTED]>
> 
> flo> I did some test with the OCSP-client code of the newest OpenSSL Developer
> flo> Snapshot right now, and found a few issues.
> flo>
> 
> flo> 1) OCSP-Client code gives a segmantation fault, if the request was sent with
> flo> OCSP-nonce, but the response did not contain an OCSP-nonce. As far as I
> flo> understood RFC2560 this may be a possible scenario.
> 
> Hmm, first of all, the responder (as I understood RFC 2560) should
> always send back the exact same nonce.  However, the client shouldn't
> go crashing, it should give back an error code of some kind.
> 

Yes I agree. I'll look into it.

> 
> flo> 2) Given an OCSP-Responder, that does not append its own
> flo> certificate (in the delegated case): I could not give an
> flo> OCSP-Certificate to trust using the command line that helped me
> flo> verify the response. You should be aware that there are use cases
> flo> that do not append any certificate to the response. I am not
> flo> really sure if this is a bug of apps/ocsp.c, libcrypto or my
> flo> fault?
> 
> Stephen recently added code in crypto/ocsp to allow that kind of
> verification, so I'd guess the fault is in apps/ocsp.c.
> 

Yes the OCSP response vertification API supports adding additional
certificates but apps/ocsp.c currently doesn't have a command line
option to include them.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to