Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Am 18.02.15 um 13:19 schrieb Stephan Mühlstrasser: Unfortunately the -no_explicit command line option is not documented: https://www.openssl.org/docs/apps/ocsp.html What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the -no_explicit command line option. What exactly is checked by the X509_check_trust() call above with respect to the relevant RFCs? As there is no documentation and as noone seems to know the meaning of the -no_explicit for openssl ocsp, should I file a documentation defect in RT for that? If I understand the code in OCSP_basic_verify() that is depending on the OCSP_NOEXPLICIT flag correctly, it checks the root CA for the presence of the OCSPSigning flag in the extended key usage field. I could not find anything in RFC 6960 and RFC 2560 that would mandate such a check for the root CA certificate. Only the OCSP signing certificate must have OCSPSigning in the extended key usage field. So maybe it is even a bug in the code itself? -- Stephan ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
As there is no documentation and as noone seems to know the meaning of the -no_explicit for openssl ocsp, should I file a documentation defect in RT for that? yes, please. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
On Wed, Feb 18, 2015, Stephan M?hlstrasser wrote: What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the -no_explicit command line option. What exactly is checked by the X509_check_trust() call above with respect to the relevant RFCs? If the responder root CA is set to be trusted for OCSP signing then it can be used to sign OCSP responses for any certificate (aka a global responder). This comes under: 1. Matches a local configuration of OCSP signing authority for the certificate in question or alternatively: Additional acceptance or rejection criteria may apply to either the response itself or to the certificate used to validate the signature on the response. from RFC2560 et al. If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour is disabled. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
On Tue, Feb 24, 2015, Stephan M?hlstrasser wrote: Do I understand it correctly then that a local configuration of OCSP signing authority here means that it is a deliberate choice inside OpenSSL itself to look for the OCSPSigning flag in the extended key usage of the root CA, although RFC 2560 does not say so? No it's a separate thing called a trust setting which is not part of the certificate itself . This is something which has to be explicitly configured to trust that root CA for OCSPSigning. It's OpenSSL's version of the trust settings you see in browsers. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Am 24.02.2015 um 16:19 schrieb Salz, Rich: As there is no documentation and as noone seems to know the meaning of the -no_explicit for openssl ocsp, should I file a documentation defect in RT for that? yes, please. Never mind, Stephen already fixed the doc in master :) Sorry, I sent already a message to the RT address. -- Stephan ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
As there is no documentation and as noone seems to know the meaning of the -no_explicit for openssl ocsp, should I file a documentation defect in RT for that? yes, please. Never mind, Stephen already fixed the doc in master :) ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Am 24.02.15 um 14:47 schrieb Dr. Stephen Henson: If the responder root CA is set to be trusted for OCSP signing then it can be used to sign OCSP responses for any certificate (aka a global responder). This comes under: 1. Matches a local configuration of OCSP signing authority for the certificate in question or alternatively: Additional acceptance or rejection criteria may apply to either the response itself or to the certificate used to validate the signature on the response. from RFC2560 et al. If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour is disabled. Do I understand it correctly then that a local configuration of OCSP signing authority here means that it is a deliberate choice inside OpenSSL itself to look for the OCSPSigning flag in the extended key usage of the root CA, although RFC 2560 does not say so? -- Stephan ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Hi, I have a question about the behavior of OCSP_basic_verify() and the meaning of the OCSP_NOEXPLICIT flag. The OCSP_basic_verify() function is the only place where this flag has an effect in the whole OpenSSL source, and in the openssl ocsp application it can be set with the -no_explicit command line option: /* * Easy case: explicitly trusted. Get root CA and check for explicit * trust */ if (flags OCSP_NOEXPLICIT) goto end; x = sk_X509_value(chain, sk_X509_num(chain) - 1); if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED); goto end; } Unfortunately the -no_explicit command line option is not documented: https://www.openssl.org/docs/apps/ocsp.html What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the -no_explicit command line option. What exactly is checked by the X509_check_trust() call above with respect to the relevant RFCs? Best regards Stephan ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users