httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Support for OpenSSL 1.1.0
Date Tue, 09 Feb 2016 14:36:13 GMT
Hi Steve,

thanks a lot for your review and comments. More inline.

Am 09.02.2016 um 13:34 schrieb Dr Stephen Henson:
> On 09/02/2016 10:20, Rainer Jung wrote:
>>
>> 3) ssl_engine_ocsp.c
>>
>> In modssl_verify_ocsp() the following code accesses the struct member "valid",
>> for which currently no accessor function exists in 1.1.0:
>>
>> 268     else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK)
{
>> 269         /* don't do OCSP checking for valid self-issued certs */
>> 270         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
>> 271                       "Skipping OCSP check for valid self-issued cert");
>> 272         X509_STORE_CTX_set_error(ctx, X509_V_OK);
>> 273         return 1;
>> 274     }
>>
>>
>
> It's not clear what that code is supposed to do. The check isn't for
> "self-issued" because that would just require comparing the subject and issuer
> names it is actually checking for a self signed certificate.

> Is it supposed to be skipping OCSP checking for a trusted root?

The svn log message says "Don't do OCSP checks for valid self-issued 
certs". The change was discussed here

http://marc.info/?t=129214629500002&r=1&w=2

with some older discussion here

http://marc.info/?t=119636863800005&r=1&w=2

As far as I get it, it is meant as an optimization to skip OCSP in cases 
where it isn't needed or useful. But I'm far from being an expert here. 
Kaspar, who introduced it originally formulated "prevents mod_ssl from 
doing unnecessary OCSP checks (valid self-issued certs, i.e. trust 
anchors configured through SSLCACertificate{File,Path})".

I'll CC Kaspar directly.

>> 4) ssl_util_stapling.c
>>
>> In ssl_stapling_init_cert() there's a compiler warning:
>>    "passing argument 1 of 'sk_value' from incompatible pointer type
>>     expected 'const struct _STACK *' but argument is of type
>>     'struct stack_st_OPENSSL_STRING *'":
>>
>> 179        cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
>>
>
> In ssl_private.h the checks like this:
>
> #ifndef sk_OPENSSL_STRING_value
> #define sk_OPENSSL_STRING_value sk_value
> #endif
>
> no longer work because stacks are now inline functions. If you put that block
> round an appropriate #ifdef it should be fine.
>
> I had a quick look at the changes and did notice that some of the direct
> structure access (extensions, X509_NAME) is unnecessary in existing versions of
> OpenSSL. So in some cases you don't need to only use them for 1.1: they'll work
> in all versions of OpenSSL but it's only in 1.1 they are enforced.

I'll get this tested/included. I kept the direct structure accesses for 
pre-1.1.0 just for the moment to stay on the safe side. Once this works 
reasonably well, I'll clean up the code to reduce the version dependent 
ifdefs.

Getting closer :)

Regards,

Rainer

Mime
View raw message