Version
5.7.2
Description
Hello!
When providing a custom OCSP callback (set by wolfSSL_SetOCSP_Cb), the TLS client will call this callback, during the TLS handshake, when it needs to get an OCSP response to check the status of the certificate.
In this callback, a connection to the OCSP responder is established to obtain the OCSP response and then return it from the callback once the response was received successfully. This callback shall return the number of bytes in the response or WOLFSSL_CBIO_ERR_GENERAL (-1) in case of an error.
What happens when the OCSP response was not received before timeout?
In the soft-fail approach we want to "by-pass" the missing OCSP response and continue with the verification. WolfSSL does not handle the timeout case in the OCSP callback.
Returning WOLFSSL_CBIO_ERR_TIMEOUT (-6) from this callback in this case will later invoke the VerifyCallback (set by wolfSSL_set_verify) with the error code OCSP_INVALID_STATUS (-407). This is the same error code when returning WOLFSSL_CBIO_ERR_GENERAL.
Because of that, it is impossible to differentiate the timeout error from other errors.
I think that when returning WOLFSSL_CBIO_ERR_TIMEOUT it would make sense to continue with the verification of the certificate to support the soft-fail. For hard-fail, the callback can still return WOLFSSL_CBIO_ERR_GENERAL.
Thank you!
Version
5.7.2
Description
Hello!
When providing a custom OCSP callback (set by
wolfSSL_SetOCSP_Cb), the TLS client will call this callback, during the TLS handshake, when it needs to get an OCSP response to check the status of the certificate.In this callback, a connection to the OCSP responder is established to obtain the OCSP response and then return it from the callback once the response was received successfully. This callback shall return the number of bytes in the response or
WOLFSSL_CBIO_ERR_GENERAL(-1) in case of an error.What happens when the OCSP response was not received before timeout?
In the soft-fail approach we want to "by-pass" the missing OCSP response and continue with the verification. WolfSSL does not handle the timeout case in the OCSP callback.
Returning
WOLFSSL_CBIO_ERR_TIMEOUT(-6) from this callback in this case will later invoke theVerifyCallback(set bywolfSSL_set_verify) with the error codeOCSP_INVALID_STATUS(-407). This is the same error code when returningWOLFSSL_CBIO_ERR_GENERAL.Because of that, it is impossible to differentiate the timeout error from other errors.
I think that when returning
WOLFSSL_CBIO_ERR_TIMEOUTit would make sense to continue with the verification of the certificate to support the soft-fail. For hard-fail, the callback can still returnWOLFSSL_CBIO_ERR_GENERAL.Thank you!