httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41123] - Support of OCSP in mod_ssl (rewritten patch from bug #31383)
Date Thu, 29 Nov 2007 00:13:49 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41123





------- Additional Comments From steve@openssl.org  2007-11-28 16:13 -------
It wasn't quite as bad as I originally though. The final verification step is
the signature validation of each cert in the chain. So if that is successful the
callback is called ok==1 for each cert in the chain. 

I thought that the chain went leaf to root which would have allowed arbitrary
URIs from a bogus chain.

Instead it goes root to leaf which isn't as bad but would allow a bogus EE cert
to trigger chain validation because it isn't checked until the end.

As things stand the current_issuer field of X509_STORE_CTX can be used to obtain
the issuer cert. Think that was first added in OpenSSL 0.9.7.

The only other case is when ok is set to 1 because it tolerates an earlier
error. That could end up doing an OCSP (and CRL) check twice AFAICS.




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message