Re: OCSP responder bug?

Sun, 07 Aug 2011 13:18:09 -0700 

Hi Tim,
it's quite a while that you've posted this message, but I just ran into the same problem. 


There is a different behavior between openssl versions like 0.9.8n and 
1.0.0c listen on the hosts IP addresses. This is exactly what you have 
evaluated with your commands.


#> openssl ocsp -port 8888 -CA ca.pem -index index.txt -rsigner \
     ocsp-responder.crt -rkey ocsp-responder.key
Waiting for OCSP client connections...

Under openssl 0.9.8n:
#> netstat -nap | grep 8888
tcp  0  0  0.0.0.0:8888  0.0.0.0:*  LISTEN  30289/openssl

Under openssl 1.0.0c:
#> netstat -nap | grep 8888
tcp6  0  0  ::1:8888  :::*  LISTEN  29178/openssl


I did a bit more digging and tested different port strings. The short 
answer is, the problem is fixed upstream. Here's the comparison list 
I've tested:


openssl-0.9.8n
8888            ->   0.0.0.0:8888
0.0.0.0:8888    ->   0.0.0.0:8888
127.0.0.1:8888  ->   127.0.0.1:8888
:::8888         ->   Error
::1:8888        ->   Error

openssl-1.0.0d
8888            ->   ::1:8888
0.0.0.0:8888    ->   0.0.0.0:8888
127.0.0.1:8888  ->   127.0.0.1:8888
:::8888         ->   :::8888
::1:8888        ->   ::1:8888

1.0.0-stable-SNAP-20110805
8888            ->   0.0.0.0:8888
0.0.0.0:8888    ->   0.0.0.0:8888
127.0.0.1:8888  ->   127.0.0.1:8888
:::8888         ->   :::8888
::1:8888        ->   ::1:8888

1.0.1-stable-SNAP-20110805
8888            ->   0.0.0.0:8888
0.0.0.0:8888    ->   0.0.0.0:8888
127.0.0.1:8888  ->   127.0.0.1:8888
:::8888         ->   :::8888
::1:8888        ->   ::1:8888



Currently it's not documented that you can use the IP address in the 
port string. So the best thing to do with the current stable version is 
to use the port string ":::8888". In that case the OCSP responder will 
listen on all v4 and v6 IP addresses.


#> openssl ocsp -port :::8888 -CA ca.pem -index index.txt -rsigner \
     ocsp-responder.crt -rkey ocsp-responder.key


When the system is listening on the default IPv6 address ":::8888" it 
also accepts IPv4 traffic coming in. This is not the case for IPv6 
traffic with the default IPv4 address "0.0.0.0:8888".



The behavior goes down to the openssl BIO_new_accept function. This was 
discussed on this mailing list back in May.


http://www.mail-archive.com/openssl-users@openssl.org/msg64208.html

The OCSP issue is also listed in the Request Tracker.

http://rt.openssl.org  #2460: OCSP server uses only IP6


I hope that clarifies things.


@Tomasz: I've put you on BCC because I thought you might find this 
interesting.


Cheers,
Alex

On 02/12/2011 01:05 AM, Timothy Stapko wrote:

Hello,

I have been developing an application using OpenSSL that needs an OCSP
responder, and for testing I use the following command to create the
responder:

openssl ocsp -index ./CA/index.txt -port 8888 -rsigner
./CA_resp/certs/responder.pem -rkey ./CA_resp/private/server.key -CA
./CA/ca.pem

My application was originally developed with OpenSSL 0.9.8o and worked
just fine, but I recently moved to 1.0.0a and the application started
failing to get a response. I spent some time looking at my application,
but then I tried just running an OCSP request from the command line:

openssl ocsp -host localhost:8888 -issuer ./CA/ca.pem -cert server.pem

This failed with the following errors:

Error connecting BIO
Error querying OCSP responsder
9784056:error:0200206F:system library:connect:Connection
refused:bss_conn.c:269:host=localhost:8888
9784056:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:273:

This process works with 0.9.8o (same certs and command lines) and even
doing an OCSP request from 1.0.0a to a 0.9.8o responder worked. A little
digging led me to check the port (netstat -an | grep 8888) which showed
that the responder in 1.0.0a was listening on "::1:8888" (IPv6
localhost), and the 0.9.8o responder was listening on "127.0.0.1:8888
<http://127.0.0.1:8888>" (IPv4). I think that this may be at the heart
of the problem.

I tried rebuilding 1.0.0a from source with IPv6 disabled (config with
-DOPENSSL_USE_IPV6=0) but the ocsp tool didn't work (another possible
bug?) so I switched it back on. I haven't yet tried the newer 1.x
versions but nothing in the changelog indicates this issue was found or
fixed.

Is this a real issue or am I missing something in my setup? I saw that
s_server now has -4 and -6 flags to switch between IPv4 and IPv6, but
the OCSP tool does not - could this be related to those changes?

My development environment is Ubuntu 10.10 with gcc 4.4.5.

Thanks!
Tim

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to