Bug in ocsp verifycation #45
Comments
|
Does this issue relate to the ticket, here ? I tested ocsp_test.c in that ticket, and got the results below. With OpenSSL 1.0.2g, result is OK. $ /usr/bin/openssl version
OpenSSL 1.0.2g-fips 1 Mar 2016
$ cc ocsp_test.c -I /usr/include -L /usr/lib -lcrypto -lssl
$ ldd a.out
linux-vdso.so.1 => (0x00007ffce88f7000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f406e6dc000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f406e473000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f406e0a9000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f406dea5000)
/lib64/ld-linux-x86-64.so.2 (0x000055850b26c000)
$ ./a.out www.amazon.com 443
OK
$With LibreSSL 2.4.1, result is NG. $ /usr/local/bin/openssl version
LibreSSL 2.4.1
$ cc ocsp_test.c -I /usr/local/include -L /usr/local/lib -lcrypto -lssl
$ ldd a.out
linux-vdso.so.1 => (0x00007fffa99c5000)
libcrypto.so.38 => /usr/local/lib/libcrypto.so.38 (0x00007fe9da7d7000)
libssl.so.39 => /usr/local/lib/libssl.so.39 (0x00007fe9da57d000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe9da1b3000)
/lib64/ld-linux-x86-64.so.2 (0x000055d6462f3000)
$ ./a.out www.amazon.com 443
OCSP response verification failed
$And if fix this problem, how about including another fix: |
|
Yeah, this looks to be the issue. we should address this in a similar way |
|
The attached (based on OpenBSD base) should fix it - It does for me here On Mon, Jul 4, 2016 at 9:05 AM, kinichiro inoguchi <notifications@github.com
|
|
Fixes commited to OpenBSD. should show up upstream soon. |
It cannot operate on https://www.ssllabs.com because OCSP stapled response includes additional subca certs. I think it's even 2 bugs:
This is fixed in openssl 1.0.2 / 1.1.
The text was updated successfully, but these errors were encountered: