cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: [PATCH v3] OCSP stapling for GnuTLS and NSS

From: Joe Mason <jmason_at_blackberry.com>
Date: Thu, 22 Jan 2015 16:15:34 +0000

> From: curl-library [curl-library-bounces_at_cool.haxx.se] on behalf of Alessandro
> Ghedini [alessandro_at_ghedini.me]
> Sent: Thursday, January 22, 2015 6:38 AM
> To: curl-library_at_cool.haxx.se
> Subject: Re: [PATCH v3] OCSP stapling for GnuTLS and NSS
>
> So, thanks to Joe Mason [0], I think I have a 100% working OpenSSL patch now,
> it's really ugly though [1]... I'll send it to the mailing list after some
> more
> testing.

Now that my mail's validated I can send this to the list instead of straight to you...

Thanks for finding X509_check_issued - I was looking for a function like that but missed that one.

I'm not sure that the call to OCSP_basic_add1_cert is correct if the responder cert isn't the last one in the chain, though. Isn't the X509 stack supposed to be strictly following the chain of issuers? So if the OCSP response contains the responder A, which is issued by B, which is issued by C, the stack should contain one of:

(1) A
(2) A -> B
(3) A -> B -> C

So in case (1) this patch will work, but in the other two it would add a second copy of B to the end of the chain:

A -> B -> B
A -> B -> C -> B

Or are the STACK_OF(X509) structures in openssl more general than that?

If my above interpretation is right, I think we should always check the last X509 in the stack, like my original patch did, but include the checks for V_OCSP_RESPID_NAME, etc that you added, and simply do nothing if the last cert is NOT the responder.

Joe
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-01-22