I haven't looked at the openssl OCSP code recently... well, okay I just
took a look. The comment for OCSP_check_nonce says it is wrong for a
server to send a nonce if a client doesn't send one. That's wrong: a
server is always free to send a nonce, that's the only way it can
guarantee its responses won't be re-used.
If the client sends a nonce, the server should include the nonce in its
reply. Some servers won't, either because they're broken or because they
choose not to and the RFC allows it.
Since it appears that nothing within OpenSSL is call add1_nonce or
check_nonce, but they are instead leaving it up to the client, then
*OpenSSL is doing the right thing.*
Well, except the core dump of course. :)
> This problem is very similiar to the problem identrus had
>for validating their Level-1 CA´s.
Can you explain?
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
