On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: > Currently the OCSP_basic_verify() function fails with many apparently valid > OCSP > responses (e.g. all those sent by Cloudflare servers). Other libraries > (GnuTLS, > NSS) have no problem with them. > > Essentially, in crypto/ocsp/ocsp_vfy.c in the OCSP_basic_verify() function, > the > X509_STORE_CTX_init() function is called like this: > > init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); > > where ctx is the X509_STORE_CTX to be initialized, st is the trust store > passed > by the user, signer is the signer of the OCSP response (which is what needs to > be validated), and bs is the decoded OCSP basic response. > > The problem is the last argument. OpenSSL uses the cert list embedded in the > OCSP response to build the trust chain, but it seems that in some cases this > list is somewhat broken. Other libraries (e.g. GnuTLS), do the verification > differently, without including those bs->certs that OpenSSL uses. > > I attached the patch and a simple test case. You can compile it with: > > $ cc ocsp_test.c -lcrypto -lssl > > To test the problem run: > > $ ./a.out digitalocean.com 443 > OCSP response verification failed > > after the patch: > > $ ./a.out digitalocean.com 443 > OK
Ping? This is actually pretty important since OpenSSL can't verify OCSP responses from a whole bunch of servers. Cheers _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
