httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41123] - Support of OCSP in mod_ssl (rewritten patch from bug #31383)
Date Wed, 28 Nov 2007 21:23:51 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41123





------- Additional Comments From steve@openssl.org  2007-11-28 13:23 -------
> 
> 1) we must always be able to assume that the issuer of the
> X509_STORE_CTX_get_current_cert() cert is trusted, since otherwise we wouldn't
> get this far?
> 

I'll check the current patch. As things stand I suspect if the server just
trusts a root CA and the client sends root->intermediate->EE it will fail to
find the intermediate CA because it isn't in the store.

> 2) sk_X509_value(X509_STORE_CTX_get_chain(ctx), 1) is not necessarily the issuer
> of the current cert - it might *be* the current cert?
> 
> ...right?  Or am I missing something fundamental?
> 

I was missing something. I was assuming the OCSP calls were being made *after*
the chain is validated instead of inside the verification callback.

If you make OCSP calls inside the verification callback the chain may not be
fully trusted when you make the OCSP requests. This would allow a carefully
constructed certificate chain to persuade a server to make arbitrary OCSP
requests to any URL. Some would regard this as undesirable.

> On the CERTID front, if I add 
> 
>     if (certID) OCSP_CERTID_free(certID);
> 
> it crashes on that line:
> 

Yes, I missed that, sorry. It will be freed when the request is freed.



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message