-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug in ocsp verifycation #45
Comments
Does this issue relate to the ticket, here ? I tested ocsp_test.c in that ticket, and got the results below. With OpenSSL 1.0.2g, result is OK. $ /usr/bin/openssl version
OpenSSL 1.0.2g-fips 1 Mar 2016
$ cc ocsp_test.c -I /usr/include -L /usr/lib -lcrypto -lssl
$ ldd a.out
linux-vdso.so.1 => (0x00007ffce88f7000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f406e6dc000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f406e473000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f406e0a9000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f406dea5000)
/lib64/ld-linux-x86-64.so.2 (0x000055850b26c000)
$ ./a.out www.amazon.com 443
OK
$ With LibreSSL 2.4.1, result is NG. $ /usr/local/bin/openssl version
LibreSSL 2.4.1
$ cc ocsp_test.c -I /usr/local/include -L /usr/local/lib -lcrypto -lssl
$ ldd a.out
linux-vdso.so.1 => (0x00007fffa99c5000)
libcrypto.so.38 => /usr/local/lib/libcrypto.so.38 (0x00007fe9da7d7000)
libssl.so.39 => /usr/local/lib/libssl.so.39 (0x00007fe9da57d000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe9da1b3000)
/lib64/ld-linux-x86-64.so.2 (0x000055d6462f3000)
$ ./a.out www.amazon.com 443
OCSP response verification failed
$ And if fix this problem, how about including another fix: |
Yeah, this looks to be the issue. we should address this in a similar way |
The attached (based on OpenBSD base) should fix it - It does for me here On Mon, Jul 4, 2016 at 9:05 AM, kinichiro inoguchi <notifications@github.com
|
Fixes commited to OpenBSD. should show up upstream soon. |
It cannot operate on https://www.ssllabs.com because OCSP stapled response includes additional subca certs. I think it's even 2 bugs:
This is fixed in openssl 1.0.2 / 1.1.
The text was updated successfully, but these errors were encountered: