Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On Tue, Mar 24, 2015 at 01:19:31PM +0100, Stephen Henson via RT wrote: On Fri Mar 20 13:20:07 2015, alessan...@ghedini.me wrote: Months have passed and I haven't received a reply yet (even worse, the recent obfuscation of the OCSP structures in 6ef869d7d0a9d made it impossible to

[openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

OK thanks for confirming that. Ticket resolved. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On Fri Mar 20 13:20:07 2015, alessan...@ghedini.me wrote: Months have passed and I haven't received a reply yet (even worse, the recent obfuscation of the OCSP structures in 6ef869d7d0a9d made it impossible to workaround the issue as curl has been doing [0]), so I thought I'd add some more

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in

[openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in crypto/ocsp/ocsp_vfy.c in the OCSP_basic_verify() function, the X509_STORE_CTX_init()