[openssl-users] OCSP_response_status

Wouter Verhelst wouter.verhelst at fedict.be
Wed Jan 6 10:57:00 UTC 2016


On 05-01-16 21:23, rosect190 at yahoo.com wrote:
> Hi, I am using OCSP_response_status(..) to check the OCSP result. My
> openssl is of version 1.0.1h.
>
> It is noticed that if the response has some issue, for example, the ocsp
> server can not be contacted and thus the request is timed out (this can
> be handled separately.) or if the Responder URL path is not correct, the
> call to OCSP_response_status(..) will generate a Segmentation fault.

If you pass incorrect data to OCSP_response_status(), things may go 
wrong. So don't do that, then :-)

Instead, the HTTP library which you use should be able to inform you if 
the HTTP request failed for some reason. When it does, don't call 
OCSP_response_status()...

(also, make sure to call OCSP_basic_verify() before accepting the result 
of OCSP_response_status() at fact value, because the latter checks the 
signature while the former does not).

-- 
Wouter Verhelst


More information about the openssl-users mailing list