Re: [PATCH] Fix to x509v3_config docs

2013-12-13 Thread Ryan Castellucci 
As I mentioned in the comments I included, a trailing slash, while
totally *valid*, causes problems with MS-CAPI. MS-CAPI likes to use
HTTP GET for its OCSP requests, and it seems to like to add an extra
slash even if it's not needed. I'm not finding anything online
documenting this online, but have a look at some certificates from
commercial CAs - none of them have trailing slashes. I'll dig up some
request logs from my server that show the problem.

On Fri, Dec 13, 2013 at 5:20 AM, Martin Hecht he...@hlrs.de wrote:
 Hi,

 shouldn't the trailing slash be allowed? In RFC 2560 section 3.1 it reads:
 The value of the accessLocation field in the subject certificate defines
 the transport (e.g. HTTP) used to access the OCSP responder and may
 contain other transport dependent information (e.g. a URL).

 and in the references (section 6) RFC 1738 is mentioned for [URL], and
 there, in section 3.3 HTTP it reads:
 An HTTP URL takes the form:
 http://host:port/path?searchpart
 [...]  If neither path nor searchpart is present, the / may also
 be omitted.

 To my understanding there is nothing wrong, if there is a trailing
 (single) slash. It is the separator between host with (optional)
 :port and an empty path value. It MAY be omitted, but it may also be
 there, right?

 Please correct me if I am missing something.

 best regards,
 Martin


 On 10.12.2013 01:34, Ryan Castellucci wrote:
 I've discovered that having a trailing slash in an OCSP URL can cause
 problems with MS-CAPI. This is a minimal patch to make the example
 non-broken. I haven't added any additional text to the documentation
 to explain this because all that was there in the first place was the
 example. Please let me know if this needs to be more extensively
 documented.

 I've CC'd cr...@bis.doc.gov is requested in the readme, however this
 is a trivial documentation change which doesn't touch any encryption
 code.

 diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod
 index 06d8467..8e3d48a 100644
 --- a/doc/apps/x509v3_config.pod
 +++ b/doc/apps/x509v3_config.pod
 @@ -220,7 +220,7 @@ certain values are meaningful, for example OCSP
 and caIssuers.

  Example:

 - authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
 + authorityInfoAccess = OCSP;URI:http://ocsp.my.host
   authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-dev@openssl.org
 Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH] Fix to x509v3_config docs

2013-12-10 Thread Ryan Castellucci 
I've discovered that having a trailing slash in an OCSP URL can cause
problems with MS-CAPI. This is a minimal patch to make the example
non-broken. I haven't added any additional text to the documentation
to explain this because all that was there in the first place was the
example. Please let me know if this needs to be more extensively
documented.

I've CC'd cr...@bis.doc.gov is requested in the readme, however this
is a trivial documentation change which doesn't touch any encryption
code.

diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod
index 06d8467..8e3d48a 100644
--- a/doc/apps/x509v3_config.pod
+++ b/doc/apps/x509v3_config.pod
@@ -220,7 +220,7 @@ certain values are meaningful, for example OCSP
and caIssuers.

 Example:

- authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+ authorityInfoAccess = OCSP;URI:http://ocsp.my.host
  authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org