httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41123] - Support of OCSP in mod_ssl (rewritten patch from bug #31383)
Date Wed, 28 Nov 2007 10:34:42 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41123





------- Additional Comments From jorton@redhat.com  2007-11-28 02:34 -------
OK, but the SSLVerify callback (and hence this OCSP validation code) is invoked
for each and (necessarily) every cert from the root CA down to the peer's
certificate, to verify the complete chain - so:

1) we must always be able to assume that the issuer of the
X509_STORE_CTX_get_current_cert() cert is trusted, since otherwise we wouldn't
get this far?

2) sk_X509_value(X509_STORE_CTX_get_chain(ctx), 1) is not necessarily the issuer
of the current cert - it might *be* the current cert?

...right?  Or am I missing something fundamental?

On the CERTID front, if I add 

    if (certID) OCSP_CERTID_free(certID);

it crashes on that line:

#0  0x0000003800e75edb in free () from /lib64/libc.so.6
#1  0x00000038094572fd in CRYPTO_free () from /lib64/libcrypto.so.6
#2  0x00000038094bcc37 in ASN1_STRING_free () from /lib64/libcrypto.so.6
...

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message