On Mon, Nov 13, 2006, Simon McMahon wrote: > > > Ah that's a bug in the ASN1 module associated with the OCSP request. > I'll look into fixing that. > > Thanks. My other post shows the openssl request (with -no_certs) includes > an empty sequence for 'certs' which the responder must be looking for. >
Yes that's a symptom of the same bug: if a SEQUENCE OF field is not OPTIONAL the ASN1 code will output an empty SEQUENCE if nothing has been added to it. I've just committed a fix. > I'm still not sure how or if the responder is validating the request in > the -no_certs case. I used a cert that the responder could not have known > and it still responded 'good'. I.e. no error regarding request validation. > It isn't verifying the request at all: currently the ocsp test application doesn't include any code to check the signature of signed requests. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
