Fix OCSP response handling errors with Let's Encrypt #4
Commits on Jul 10, 2021
-
Use CFLAGS from apr-config, not apxs
Apxs adds flags from the Apache build it is from, and those might not work in some cases, for example if a different compiler was used.
-
SHA1 for issuer name hash and issuer key hash in OCSP requests
Some CAs (notably Let's Encrypt) support only SHA1. Support for that is required by RFC 5019 [1] and referenced in CAB Forum Baseline Requirements, too. This particular hash doesn't need to be cryptographically secure, so switching to SHA1 is the simplest solution. [1] https://datatracker.ietf.org/doc/html/rfc5019#section-2.1.1
Commits on Jul 11, 2021
Commits on Jul 13, 2021
-
Use the issuer certificate directly to verify OCSP responses
The detour over a trust list is unnecessary by using gnutls_ocsp_resp_verify_direct(), which simplifies the code a lot, and also avoids a current bug in gnutls_ocsp_resp_verify() [1]. [1] https://gitlab.com/gnutls/gnutls/-/issues/1254
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.