[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Wed Jan 24 18:34:01 UTC 2018
The branch master has been updated
via e23ac62594e85296cb90f70480d156f73207218e (commit)
via cace14b8ef5362a7a269ac71dcac8304206811e1 (commit)
via 0494014781d2e348996f55acca0d179b09f9499f (commit)
via 89623f84299a66761ba4c69f01dbd86fc584d0a3 (commit)
via b4dd21a7b8b850a39b0f610fceca21557853c943 (commit)
from a26dd465b21d8def440c16b6bd90227b03e12e02 (commit)
- Log -----------------------------------------------------------------
commit e23ac62594e85296cb90f70480d156f73207218e
Author: David Cooper <david.cooper at nist.gov>
Date: Wed Jan 24 12:27:19 2018 -0500
Added "B" tag to all variables.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)
commit cace14b8ef5362a7a269ac71dcac8304206811e1
Author: David Cooper <david.cooper at nist.gov>
Date: Wed Jan 24 11:47:23 2018 -0500
Add documentation for the OCSP_basic_sign() and OCSP_basic_sign_ctx() functions.
Correct error return value in OCSP_basic_sign().
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)
commit 0494014781d2e348996f55acca0d179b09f9499f
Author: David Cooper <david.cooper at nist.gov>
Date: Tue Jan 23 14:22:17 2018 -0500
Make editorial changes suggested by Matt Caswell and fixed Travis failures.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)
commit 89623f84299a66761ba4c69f01dbd86fc584d0a3
Author: David Cooper <david.cooper at nist.gov>
Date: Tue Dec 12 16:01:22 2017 -0500
Make editorial changes suggested by Rich Salz and add the -rsigopt option to the man page for the ocsp command.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)
commit b4dd21a7b8b850a39b0f610fceca21557853c943
Author: David Cooper <david.cooper at nist.gov>
Date: Fri Aug 18 09:27:19 2017 -0400
Add -rsigopt option to ocsp command
Add a -rsigopt option to the ocsp command that allows signature parameters to be provided for the signing of OCSP responses. The parameters that may be provided to -rsigopt are the same as may be provided to -sigopt in the ca, req, and x509 commands.
This PR also defines a OCSP_basic_sign_ctx() function, which functions in the same way as OCSP_basic_sign(), except that it accepts a EVP_MD_CTX rather than a key and digest. The OCSP_basic_sign_ctx() function is used to implement the -rsigopt option in the ocsp command.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)
-----------------------------------------------------------------------
Summary of changes:
apps/ocsp.c | 42 +++++++++++++++++++++++++++++++++------
crypto/err/openssl.txt | 3 ++-
crypto/ocsp/ocsp_err.c | 1 +
crypto/ocsp/ocsp_lcl.h | 4 ++++
crypto/ocsp/ocsp_srv.c | 42 +++++++++++++++++++++++++++++++++------
doc/man1/ocsp.pod | 6 ++++++
doc/man3/OCSP_response_status.pod | 21 ++++++++++++++++++--
include/openssl/ocsp.h | 3 +++
include/openssl/ocsperr.h | 1 +
util/libcrypto.num | 1 +
10 files changed, 109 insertions(+), 15 deletions(-)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 34aacd6..4a68e52 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -46,9 +46,10 @@ static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage);
-static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
+static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *md,
+ STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig);
@@ -77,7 +78,7 @@ typedef enum OPTION_choice {
OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
- OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_HEADER,
+ OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER,
OPT_V_ENUM,
OPT_MD
} OPTION_CHOICE;
@@ -154,6 +155,7 @@ const OPTIONS ocsp_options[] = {
{"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
{"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
{"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},
+ {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"},
{"header", OPT_HEADER, 's', "key=value header to add"},
{"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
OPT_V_OPTIONS,
@@ -164,6 +166,7 @@ int ocsp_main(int argc, char **argv)
{
BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL;
const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
+ STACK_OF(OPENSSL_STRING) *rsign_sigopts = NULL;
int trailing_md = 0;
CA_DB *rdb = NULL;
EVP_PKEY *key = NULL, *rkey = NULL;
@@ -419,6 +422,12 @@ int ocsp_main(int argc, char **argv)
if (!opt_md(opt_arg(), &rsign_md))
goto end;
break;
+ case OPT_RSIGOPT:
+ if (rsign_sigopts == NULL)
+ rsign_sigopts = sk_OPENSSL_STRING_new_null();
+ if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
+ goto end;
+ break;
case OPT_HEADER:
header = opt_arg();
value = strchr(header, '=');
@@ -583,8 +592,8 @@ redo_accept:
}
if (rdb != NULL) {
- make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
- rsign_md, rother, rflags, nmin, ndays, badsig);
+ make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey,
+ rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig);
if (cbio != NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
@@ -710,6 +719,7 @@ redo_accept:
X509_free(signer);
X509_STORE_free(store);
X509_VERIFY_PARAM_free(vpm);
+ sk_OPENSSL_STRING_free(rsign_sigopts);
EVP_PKEY_free(key);
EVP_PKEY_free(rkey);
X509_free(cert);
@@ -855,9 +865,10 @@ static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
}
}
-static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
+static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *rmd,
+ STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig)
{
@@ -865,6 +876,8 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
OCSP_CERTID *cid;
OCSP_BASICRESP *bs = NULL;
int i, id_count;
+ EVP_MD_CTX *mctx = NULL;
+ EVP_PKEY_CTX *pkctx = NULL;
id_count = OCSP_request_onereq_count(req);
@@ -950,7 +963,23 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
OCSP_copy_nonce(bs, req);
- OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
+ mctx = EVP_MD_CTX_new();
+ if ( mctx == NULL || !EVP_DigestSignInit(mctx, &pkctx, rmd, NULL, rkey)) {
+ *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, NULL);
+ goto end;
+ }
+ for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
+ char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
+
+ if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
+ BIO_printf(err, "parameter error \"%s\"\n", sigopt);
+ ERR_print_errors(bio_err);
+ *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
+ NULL);
+ goto end;
+ }
+ }
+ OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags);
if (badsig) {
const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
@@ -960,6 +989,7 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
end:
+ EVP_MD_CTX_free(mctx);
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
OCSP_BASICRESP_free(bs);
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 0ed1b09..accd83c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -735,6 +735,7 @@ OBJ_F_OBJ_NID2SN:104:OBJ_nid2sn
OCSP_F_D2I_OCSP_NONCE:102:d2i_ocsp_nonce
OCSP_F_OCSP_BASIC_ADD1_STATUS:103:OCSP_basic_add1_status
OCSP_F_OCSP_BASIC_SIGN:104:OCSP_basic_sign
+OCSP_F_OCSP_BASIC_SIGN_CTX:119:OCSP_basic_sign_ctx
OCSP_F_OCSP_BASIC_VERIFY:105:OCSP_basic_verify
OCSP_F_OCSP_CERT_ID_NEW:101:OCSP_cert_id_new
OCSP_F_OCSP_CHECK_DELEGATED:106:ocsp_check_delegated
diff --git a/crypto/ocsp/ocsp_err.c b/crypto/ocsp/ocsp_err.c
index 5faeff2..a97177e 100644
--- a/crypto/ocsp/ocsp_err.c
+++ b/crypto/ocsp/ocsp_err.c
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA OCSP_str_functs[] = {
{ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_BASIC_ADD1_STATUS, 0),
"OCSP_basic_add1_status"},
{ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_BASIC_SIGN, 0), "OCSP_basic_sign"},
+ {ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_BASIC_SIGN_CTX, 0), "OCSP_basic_sign_ctx"},
{ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_BASIC_VERIFY, 0), "OCSP_basic_verify"},
{ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_CERT_ID_NEW, 0), "OCSP_cert_id_new"},
{ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_CHECK_DELEGATED, 0),
diff --git a/crypto/ocsp/ocsp_lcl.h b/crypto/ocsp/ocsp_lcl.h
index d1cf158..2215a00 100644
--- a/crypto/ocsp/ocsp_lcl.h
+++ b/crypto/ocsp/ocsp_lcl.h
@@ -224,6 +224,10 @@ struct ocsp_service_locator_st {
ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
+# define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
+ ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
+ NULL,(o)->signature,&(o)->tbsResponseData,ctx)
+
# define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
&(a)->optionalSignature->signatureAlgorithm,\
(a)->optionalSignature->signature,&(a)->tbsRequest,r)
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 51b27bd..eff6ddb 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -168,15 +168,28 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
return 1;
}
-int OCSP_basic_sign(OCSP_BASICRESP *brsp,
- X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+/*
+ * Sign an OCSP response using the parameters contained in the digest context,
+ * set the responderID to the subject name in the signer's certificate, and
+ * include one or more optional certificates in the response.
+ */
+
+int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
+ X509 *signer, EVP_MD_CTX *ctx,
STACK_OF(X509) *certs, unsigned long flags)
{
int i;
OCSP_RESPID *rid;
+ EVP_PKEY *pkey;
- if (!X509_check_private_key(signer, key)) {
- OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
+ if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL) {
+ OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX, OCSP_R_NO_SIGNER_KEY);
+ goto err;
+ }
+
+ pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
+ if (pkey == NULL || !X509_check_private_key(signer, pkey)) {
+ OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX,
OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
}
@@ -208,7 +221,7 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
* -- Richard Levitte
*/
- if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
+ if (!OCSP_BASICRESP_sign_ctx(brsp, ctx, 0))
goto err;
return 1;
@@ -216,6 +229,23 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
return 0;
}
+int OCSP_basic_sign(OCSP_BASICRESP *brsp,
+ X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+ STACK_OF(X509) *certs, unsigned long flags)
+{
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ EVP_PKEY_CTX *pkctx = NULL;
+ int i;
+
+ if (!EVP_DigestSignInit(ctx, &pkctx, dgst, NULL, key)) {
+ EVP_MD_CTX_free(ctx);
+ return 0;
+ }
+ i = OCSP_basic_sign_ctx(brsp, signer, ctx, certs, flags);
+ EVP_MD_CTX_free(ctx);
+ return i;
+}
+
int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert)
{
if (!X509_NAME_set(&respid->value.byName, X509_get_subject_name(cert)))
diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod
index 46fff32..44f1a60 100644
--- a/doc/man1/ocsp.pod
+++ b/doc/man1/ocsp.pod
@@ -81,6 +81,7 @@ B<openssl> B<ocsp>
[B<-rsigner file>]
[B<-rkey file>]
[B<-rother file>]
+[B<-rsigopt nm:v>]
[B<-resp_no_certs>]
[B<-nmin n>]
[B<-ndays n>]
@@ -340,6 +341,11 @@ subject name.
The private key to sign OCSP responses with: if not present the file
specified in the B<rsigner> option is used.
+=item B<-rsigopt nm:v>
+
+Pass options to the signature algorithm when signing OCSP responses.
+Names and values of these options are algorithm-specific.
+
=item B<-port portnum>
Port to listen for OCSP requests on. The port may also be specified
diff --git a/doc/man3/OCSP_response_status.pod b/doc/man3/OCSP_response_status.pod
index e81b866..ede2974 100644
--- a/doc/man3/OCSP_response_status.pod
+++ b/doc/man3/OCSP_response_status.pod
@@ -4,7 +4,8 @@
OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create,
OCSP_RESPONSE_free, OCSP_RESPID_set_by_name,
-OCSP_RESPID_set_by_key, OCSP_RESPID_match - OCSP response functions
+OCSP_RESPID_set_by_key, OCSP_RESPID_match,
+OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions
=head1 SYNOPSIS
@@ -19,6 +20,12 @@ OCSP_RESPID_set_by_key, OCSP_RESPID_match - OCSP response functions
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
+ int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
+ const EVP_MD *dgst, STACK_OF(X509) *certs,
+ unsigned long flags);
+ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx,
+ STACK_OF(X509) *certs, unsigned long flags);
+
=head1 DESCRIPTION
OCSP_response_status() returns the OCSP response status of B<resp>. It returns
@@ -49,6 +56,13 @@ setting.
OCSP_RESPID_match() tests whether the OCSP_RESPID given in B<respid> matches
with the X509 certificate B<cert>.
+OCSP_basic_sign() signs OCSP response B<brsp> using certificate B<signer>, private key
+B<key>, digest B<dgst> and additional certificates B<certs>. If the B<flags> option
+B<OCSP_NOCERTS> is set then no certificates will be included in the request. If the
+B<flags> option B<OCSP_RESPID_KEY> is set then the responder is identified by key ID
+rather than by name. OCSP_basic_sign_ctx() also signs OCSP response B<brsp> but
+uses the parameters contained in digest context B<ctx>.
+
=head1 RETURN VALUES
OCSP_RESPONSE_status() returns a status value.
@@ -61,7 +75,8 @@ if an error occurred.
OCSP_RESPONSE_free() does not return a value.
-OCSP_RESPID_set_by_name() and OCSP_RESPID_set_by_key() return 1 on success or 0
+OCSP_RESPID_set_by_name(), OCSP_RESPID_set_by_key(), OCSP_basic_sign(), and
+OCSP_basic_sign_ctx() return 1 on success or 0
on failure.
OCSP_RESPID_match() returns 1 if the OCSP_RESPID and the X509 certificate match
@@ -88,6 +103,8 @@ L<OCSP_RESPID_free(3)>
The OCSP_RESPID_set_by_name(), OCSP_RESPID_set_by_key() and OCSP_RESPID_match()
functions were added in OpenSSL 1.1.0a.
+The OCSP_basic_sign_ctx() function was added in OpenSSL 1.1.1.
+
=head1 COPYRIGHT
Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index 3ca2a92..0b89a64 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -251,6 +251,9 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
int OCSP_basic_sign(OCSP_BASICRESP *brsp,
X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
STACK_OF(X509) *certs, unsigned long flags);
+int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
+ X509 *signer, EVP_MD_CTX *ctx,
+ STACK_OF(X509) *certs, unsigned long flags);
int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
diff --git a/include/openssl/ocsperr.h b/include/openssl/ocsperr.h
index 0fdb47c..08800d1 100644
--- a/include/openssl/ocsperr.h
+++ b/include/openssl/ocsperr.h
@@ -25,6 +25,7 @@ int ERR_load_OCSP_strings(void);
# define OCSP_F_D2I_OCSP_NONCE 102
# define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
# define OCSP_F_OCSP_BASIC_SIGN 104
+# define OCSP_F_OCSP_BASIC_SIGN_CTX 119
# define OCSP_F_OCSP_BASIC_VERIFY 105
# define OCSP_F_OCSP_CERT_ID_NEW 101
# define OCSP_F_OCSP_CHECK_DELEGATED 106
diff --git a/util/libcrypto.num b/util/libcrypto.num
index d6fbd14..3e7d28e 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4500,3 +4500,4 @@ ADMISSIONS_get0_professionInfos 4440 1_1_1 EXIST::FUNCTION:
ADMISSION_SYNTAX_new 4441 1_1_1 EXIST::FUNCTION:
EVP_sha512_256 4442 1_1_1 EXIST::FUNCTION:
EVP_sha512_224 4443 1_1_1 EXIST::FUNCTION:
+OCSP_basic_sign_ctx 4444 1_1_1 EXIST::FUNCTION:OCSP
More information about the openssl-commits
mailing list