[openssl-users] OCSP_response_status
Wouter Verhelst
wouter.verhelst at fedict.be
Wed Jan 6 10:57:00 UTC 2016
On 05-01-16 21:23, rosect190 at yahoo.com wrote:
> Hi, I am using OCSP_response_status(..) to check the OCSP result. My
> openssl is of version 1.0.1h.
>
> It is noticed that if the response has some issue, for example, the ocsp
> server can not be contacted and thus the request is timed out (this can
> be handled separately.) or if the Responder URL path is not correct, the
> call to OCSP_response_status(..) will generate a Segmentation fault.
If you pass incorrect data to OCSP_response_status(), things may go
wrong. So don't do that, then :-)
Instead, the HTTP library which you use should be able to inform you if
the HTTP request failed for some reason. When it does, don't call
OCSP_response_status()...
(also, make sure to call OCSP_basic_verify() before accepting the result
of OCSP_response_status() at fact value, because the latter checks the
signature while the former does not).
--
Wouter Verhelst
More information about the openssl-users
mailing list