[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Sat Feb 13 14:12:15 UTC 2016

The branch master has been updated
       via  21c6c50fc85a2b6ad8472dcf24f42f5e6da5bfbe (commit)
      from  7b8666276df86c1b84bae410eea2fa1947f6516a (commit)

- Log -----------------------------------------------------------------
commit 21c6c50fc85a2b6ad8472dcf24f42f5e6da5bfbe
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Tue Feb 9 20:29:21 2016 -0600

    GH650: Minor tidying around the ocsp app
    The ocsp utility is something of a jack-of-all-trades; most anything
    related to the OCSP can be done with it.  In particular, the manual
    page calls out that it can be used as either a client or a server
    of the protocol, but there are also a few things that it can do
    which do not quite fit into either role, such as encoding an OCSP
    request but not sending it, printing out a text form of an OCSP
    response (or request) from a file akin to the asn1parse utility,
    or performing a lookup into the server-side revocation database
    without actually sending a request or response.  All three of these
    are documented as examples in the manual page, but the documentation
    prior to this commit is somewhat misleading, in that when printing
    the text form of an OCSP response, the code also attempts to
    verify the response, displaying an error message and returning
    failure if the response does not verify.  (It is possible that
    the response would be able to verify with the given example, since
    the default trust roots are used for that verification, but OCSP
    responses frequently have alternate certification authorities
    that would require passing -CAfile or -CApath for verification.)
    Tidy up the documentation by passing -noverify for the case of
    converting from binary to textual representation, and also
    change a few instances of -respin to -reqin as appropriate, note
    that the -url option provides the same functionality as the -host
    and -path options, clarify that the example that saves an OCSP
    response to a file will also perform verification on that response,
    and fix a couple grammar nits in the manual page.
    Also remove an always-true conditional for rdb != NULL -- there
    are no codepaths in which it could be initialized at the time of
    this check.
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>


Summary of changes:
 apps/ocsp.c       |  2 +-
 doc/apps/ocsp.pod | 19 ++++++++++---------
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index d2e3109..73b407c 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -521,7 +521,7 @@ int ocsp_main(int argc, char **argv)
             goto end;
-    if (rsignfile && !rdb) {
+    if (rsignfile) {
         if (!rkeyfile)
             rkeyfile = rsignfile;
         rsigner = load_cert(rsignfile, FORMAT_PEM,
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 1ecd928..be195bc 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -139,7 +139,7 @@ Additional certificates to include in the signed request.
 =item B<-nonce>, B<-no_nonce>
 Add an OCSP nonce extension to a request or disable OCSP nonce addition.
-Normally if an OCSP request is input using the B<respin> option no
+Normally if an OCSP request is input using the B<reqin> option no
 nonce is added: using the B<nonce> option will force addition of a nonce.
 If an OCSP request is being created (using B<cert> and B<serial> options)
 a nonce is automatically added specifying B<no_nonce> overrides this.
@@ -166,7 +166,8 @@ specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
 if the B<host> option is present then the OCSP request is sent to the host
 B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
-or "/" by default.
+or "/" by default.  This is equivalent to specifying B<-url> with scheme
+http:// and the given hostname, port, and pathname.
 =item B<-header name=value>
@@ -296,7 +297,7 @@ information.
 If the B<index> option is specified the B<ocsp> utility is in responder mode, otherwise
 it is in client mode. The request(s) the responder processes can be either specified on
 the command line (using B<issuer> and B<serial> options), supplied in a file (using the
-B<respin> option) or via external OCSP clients (if B<port> or B<url> is specified).
+B<reqin> option) or via external OCSP clients (if B<port> or B<url> is specified).
 If the B<index> option is present then the B<CA> and B<rsigner> options must also be
@@ -401,7 +402,7 @@ format of revocation is also inefficient for large quantities of revocation
 It is possible to run the B<ocsp> application in responder mode via a CGI
-script using the B<respin> and B<respout> options.
+script using the B<reqin> and B<respout> options.
 =head1 EXAMPLES
@@ -410,14 +411,14 @@ Create an OCSP request and write it to a file:
  openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
 Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the 
-response to a file and print it out in text form
+response to a file, print it out in text form, and verify the response:
  openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
      -url http://ocsp.myhost.com/ -resp_text -respout resp.der
 Read in an OCSP response and print out text form:
- openssl ocsp -respin resp.der -text
+ openssl ocsp -respin resp.der -text -noverify
 OCSP server on port 8888 using a standard B<ca> configuration, and a separate
 responder certificate. All requests and responses are printed to a file.
@@ -430,13 +431,13 @@ As above but exit after processing one request:
  openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
      -nrequest 1
-Query status information using internally generated request:
+Query status information using an internally generated request:
  openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
      -issuer demoCA/cacert.pem -serial 1
-Query status information using request read from a file, write response to a
-second file.
+Query status information using request read from a file, and write the response
+to a second file.
  openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
      -reqin req.der -respout resp.der

More information about the openssl-commits mailing list