httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41123] - Support of OCSP in mod_ssl (rewritten patch from bug #31383)
Date Wed, 28 Nov 2007 22:28:29 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41123





------- Additional Comments From jorton@redhat.com  2007-11-28 14:28 -------
(In reply to comment #39)
> I was missing something. I was assuming the OCSP calls were being made *after*
> the chain is validated instead of inside the verification callback.
> 
> If you make OCSP calls inside the verification callback the chain may not be
> fully trusted when you make the OCSP requests. This would allow a carefully
> constructed certificate chain to persuade a server to make arbitrary OCSP
> requests to any URL. Some would regard this as undesirable.

If the cert being verified is not trusted the SSLVerify callback will get
invoked with ok=0 though surely? (the OCSP code won't get invoked in that case,
only if the cert *is* trusted) 

But I did find this confusing, anyway.  Is it at all desirable to be doing OCSP
validation of every cert in the chain, including whatever root CA?  Marc, was
the code written like this deliberately?

It would be simple enough to only do the OCSP validation for the actual peer cert.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message