This bug is present in OpenSSL 1.0.1 and all previous version which I
have looked at
Example of bug:
> openssl ocsp -issuer tom-ca_root_cert.pem -nonce -CAfile
tom-ca_root_cert.pem -url
http://[2001:420:40ff:ffe0:bca9:7919:9219:86b6]:88 -cert
user_signed_cert.pem
Error connecting BIO
Error querying OCSP responsder
34574:error:2006A066:BIO routines:BIO_get_host_ip:bad hostname
lookup:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/b_sock.c:140:host=[2001
If the url provided to openssl ocsp contains an IPv6 address (contained
in square brackets as specified in RFC 3986) then the parsing of the URL
fails.
In OCSP_parse_url() the first : after the http:// is incorrectly
assumed to precede the port number. so the host string ends up as
"[2001" and the port string is wrong also.
Proposed patch to crypto\oscp\ocsp_lib.c attached.
223a224,240
>
> p = host;
>
> /* Check if host is enclosed in sqaure brackets indicating an IPv6
> address which will contatin some ':' */
>
> if (host[0] == '[')
> {
> if (p = strchr(host, ']'))
> {
> /* host was IPv6 address encloded in [
> ], move beyond this for rest of parsing (avoiding any ':' which might confuse
> the port parsing)*/
> p++;
> }
> else
> {
> goto parse_err;
> }
> }
226c243
< if ((p = strchr(host, ':')))
---
> if ((p = strchr(p, ':')))
