On Tue, Aug 05, 2003, Werner Johansson wrote: > > > Is the OCSP components of the OpenSSL library considered "stable" in the > sense that the API has settled, or are there major changes planned?? >
Yes pretty stable. If changes are made the older functions will be retained for compatibility. One thing you might want to reimplement is the request code which actually packages the OCSP request and obtains the response, currently in OCSP_sendreq_bio(). Its very basic and you might want some more sophisticated HTTP requester which includes timeouts. > But the attack mentioned here, does that include certs with the OCSP > Authority Info Access extension then (that would be the only way to let the > system use a bogus OCSP responder)?? If that's the case, is there anything > that can/should be done when parsing out the responder details from this > field, or is it OK to blindly trust that data if the cert verifies > (cert-chain and validity period OK)?? If the cert indeed has been signed by > a trusted CA, then it should be OK to trust the responder listed in the > cert, right? If, on the other hand, only the OCSP check is run, then any > strange cert can be presented, and people would be able to inject any > responses back to the server (possibly buffer-overflowing the OCSP client > and whatnot). > Yes that's it. If the chain verifies then you can assume that the URL is OK. Of course that doesn't rule out MITM attacks. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
