[openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain
Alessandro Ghedini via RT
rt at openssl.org
Sat Jan 31 16:06:34 UTC 2015
On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote:
> Currently the OCSP_basic_verify() function fails with many apparently valid OCSP
> responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS,
> NSS) have no problem with them.
>
> Essentially, in crypto/ocsp/ocsp_vfy.c in the OCSP_basic_verify() function, the
> X509_STORE_CTX_init() function is called like this:
>
> init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
>
> where ctx is the X509_STORE_CTX to be initialized, st is the trust store passed
> by the user, signer is the signer of the OCSP response (which is what needs to
> be validated), and bs is the decoded OCSP basic response.
>
> The problem is the last argument. OpenSSL uses the cert list embedded in the
> OCSP response to build the trust chain, but it seems that in some cases this
> list is somewhat broken. Other libraries (e.g. GnuTLS), do the verification
> differently, without including those bs->certs that OpenSSL uses.
>
> I attached the patch and a simple test case. You can compile it with:
>
> $ cc ocsp_test.c -lcrypto -lssl
>
> To test the problem run:
>
> $ ./a.out digitalocean.com 443
> OCSP response verification failed
>
> after the patch:
>
> $ ./a.out digitalocean.com 443
> OK
I updated the patch so that it applies cleanly after the reformatting of
ocsp_vfy.c in commit 0f113f3.
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Don-t-use-the-cert-list-embedded-in-the-OCSP-respons.patch
Type: text/x-diff
Size: 1163 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150131/37d2b542/attachment.patch>
More information about the openssl-dev
mailing list