any subtleties about OCSP in TLS1.3 with ecdh curves?
Sam Roberts
vieuxtech at gmail.com
Mon Jun 24 21:34:14 UTC 2019
Node.js has a bug report and repro of ocsp status not being sent from
a node server to the openssl CLI when TLS1.3 is being used, but only
when server is setting an ecdh curve, with SSL_CTX_set1_curves_list()
repro is https://github.com/sam-github/node-ocsp-bug-repro
TLS trace of success is
https://github.com/sam-github/node-ocsp-bug-repro/blob/master/ok.txt,
and of failure is
https://github.com/sam-github/node-ocsp-bug-repro/blob/master/notok.txt
I hacked up node a bit, and it does look like in both cases the same
API interactions between node and openssl are ocurring, at least with
respect to the cb from SSL_set_cert_cb() is happening, after which
time we save some data, and then we call
SSL_set_tlsext_status_ocsp_resp() with that data.
AFAICT, with SSL_CTX_set1_curves_list() called, the ocsp data never
shows up in the server response.
I'm not sure what to look at next, does anybody have ideas?
Thanks,
Sam
More information about the openssl-users
mailing list