[openssl-users] OCSP_response_status

Wouter Verhelst wouter.verhelst at fedict.be
Wed Jan 6 10:57:00 UTC 2016

On 05-01-16 21:23, rosect190 at yahoo.com wrote:
> Hi, I am using OCSP_response_status(..) to check the OCSP result. My
> openssl is of version 1.0.1h.
> It is noticed that if the response has some issue, for example, the ocsp
> server can not be contacted and thus the request is timed out (this can
> be handled separately.) or if the Responder URL path is not correct, the
> call to OCSP_response_status(..) will generate a Segmentation fault.

If you pass incorrect data to OCSP_response_status(), things may go 
wrong. So don't do that, then :-)

Instead, the HTTP library which you use should be able to inform you if 
the HTTP request failed for some reason. When it does, don't call 

(also, make sure to call OCSP_basic_verify() before accepting the result 
of OCSP_response_status() at fact value, because the latter checks the 
signature while the former does not).

Wouter Verhelst

More information about the openssl-users mailing list