[openssl-dev] [openssl.org #4120] CertificateStatus message is optional
David Benjamin via RT
rt at openssl.org
Tue Nov 3 02:09:49 UTC 2015
It seems unlikely I'll be getting around to doing another newsletter, but
while I'm reporting bugs, here's another that came to mind:
RFC 6066 is somewhat obnoxious and allows the server to decline to send
CertificateStatus even after negotiating the extension.
https://tools.ietf.org/html/rfc6066#section-8
Note that a server MAY also choose not to send a "CertificateStatus"
message, even if has received a "status_request" extension in the
client hello message and has sent a "status_request" extension in the
server hello message.
OpenSSL fails the handshake when the message is omitted. We had a report of
an incompatibility because of this. I think it turned out IIS would
negotiate certificate_status, send the ServerHello, and later try to find
an OCSP response to staple. If it failed to do so, it would send no
CertificateStatus.
See also: https://crbug.com/478947
David
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list