httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: Support for OpenSSL 1.1.0
Date Tue, 09 Feb 2016 15:09:14 GMT
On 09/02/2016 14:36, Rainer Jung wrote:
> Hi Steve,
> 
> thanks a lot for your review and comments. More inline.
> 
> Am 09.02.2016 um 13:34 schrieb Dr Stephen Henson:
>> On 09/02/2016 10:20, Rainer Jung wrote:
>>>
>>> 3) ssl_engine_ocsp.c
>>>
>>> In modssl_verify_ocsp() the following code accesses the struct member "valid",
>>> for which currently no accessor function exists in 1.1.0:
>>>
>>> 268     else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK)
{
>>> 269         /* don't do OCSP checking for valid self-issued certs */
>>> 270         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
>>> 271                       "Skipping OCSP check for valid self-issued cert");
>>> 272         X509_STORE_CTX_set_error(ctx, X509_V_OK);
>>> 273         return 1;
>>> 274     }
>>>
>>>
>>
>> It's not clear what that code is supposed to do. The check isn't for
>> "self-issued" because that would just require comparing the subject and issuer
>> names it is actually checking for a self signed certificate.
> 
>> Is it supposed to be skipping OCSP checking for a trusted root?
> 
> The svn log message says "Don't do OCSP checks for valid self-issued certs". The
> change was discussed here
> 
> http://marc.info/?t=129214629500002&r=1&w=2
> 
> with some older discussion here
> 
> http://marc.info/?t=119636863800005&r=1&w=2
> 
> As far as I get it, it is meant as an optimization to skip OCSP in cases where
> it isn't needed or useful. But I'm far from being an expert here. Kaspar, who
> introduced it originally formulated "prevents mod_ssl from doing unnecessary
> OCSP checks (valid self-issued certs, i.e. trust anchors configured through
> SSLCACertificate{File,Path})".
> 
> I'll CC Kaspar directly.
> 

OK it looks like at that point the certificate has been verified anyway so you
don't gain anything by checking cert->valid.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message