httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41123] - Support of OCSP in mod_ssl (rewritten patch from bug #31383)
Date Wed, 28 Nov 2007 00:52:21 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41123





------- Additional Comments From steve@openssl.org  2007-11-27 16:52 -------
> 
> 2) drop the duplicate X509_STORE_CTX & X509_STORE creation.  I can't see why
> this is necessary; Marc, can you explain what that was for?  

I haven't tested it explicitly but I think the extra X509_STORE and ctx was
intended to extract the issuer certificate from the client certificate in a
reliable way.

Note that X509_STORE_CTX_get1_issuer() will only retrieve the issuer certificate
if it is trusted, hence the extra store to make all certificates trusted. To see
why suppose you have this situation:

Root->Intermediate->Cert

Where Root only is trusted. The client would send Cert and Intermediate. The
OpenSSL validation logic would then build the whole chain.

A call to X509_STORE_CTX_get1_issuer() would fail because Intermediate is not in
the trusted store.

In actual fact it isn't necessary to create a separate store because the
certificate chain has already been built and validated. All you should need to
do is to extract the second member of the validated chain like this....

issuer = sk_X509_value(X509_STORE_CTX_get_chain(ctx), 1);
if (issuer == NULL) /* Error */

Since issuer is an internal pointer it shouldn't be freed as it will be freed up
when the ctx is cleaned up.

Oh and btw you do need to free up certID.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message