Thank you for the feedback, JT. I'm glad that you've found my patch useful. Good if it works for 1.0.1c, because I only tested it with 1.0.1a.
On Thu, 2012-06-21 at 17:28 +0400, JT Rosin wrote: > After hours of desperately trying to implement some kind of working ocsp > check (using the code from apps/ocsp.c) in the verification callback i > finally gave up and applied Alexander Konyagin's patch (found a new > message from him with updated one) to 1.0.1c sources that i previously > downloaded. > > I just placed a call to X509_STORE_set_flags(my_ctx, > X509_V_FLAG_OCSP_CHECK_ALL) before SSL_connect() and everything worked > like a charm!! :-) (strangely, with X509_V_FLAG_OCSP_CHECK my ocsp > responder was never queried - seems like a bug or I haven't catch up > smth). i could even use ocsp without adding AIA extension to my > certificates! (used X509_set_cert_ocsp_opt() for that). Certainly, that's a bug. Attached patch (fix for the last patch) fixes the issue. Also I've incorporated a separate check for the case when we're checking only a self-signed certificate (so we won't do OCSP check for it). > > I already e-mailed this guy about > X509_V_FLAG_OCSP_CHECK_ALL/X509_V_FLAG_OCSP_CHECK flag, but he hasn't > replied yet. Do you think that his patch will also work with forthcoming > releases of openssl?? Sure, if OpenSSL developers will consider merging it into upstream. > > On Wed, 2012-06-20 at 23:47 +0200, jb-open...@wisemo.com wrote: > > Of cause you shouldn't write your own OCSP code. OCSP is already part of > > the OpenSSL library and the file apps/ocsp.c shows how to use it. > > > > Alexander Konyagin's patch from 12 days ago doesn't seem to have been > > reviewed or commented by anybody else, so I am not sure if it is because > > he also posted it on a dev list, if it is so perfect even the top experts > > had no comments, if they are still testing it or if they reject it, I > > simply don't know at this time. Anyway, as his patch extends the OpenSSL > > API, I wouldn't use it until it has been integrated and adapted for an > > official OpenSSL release, as this ensures compatibility with future code > > updates. > > > > apps/ocsp.c is released code though, and the OpenSSL functions it calls > > are official released API functions, but it doesn't hook itself into the > > regular certificate verification, which seems to be what Alexander's patch > > adds. > > > > On 20-06-2012 17:19, JT Rosin wrote: > > > hi, Jakob! Though it may work, i personally don't think that it's a good > > > idea to implement ocsp code myself! Not only because I'm a lazy guy, but > > > mainly for practical reasons :-) > > > > > > In google I found that some guy had already made a patch that brings > > > some kind of ocsp client functionality to openssl > > > (http://www.mail-archive.com/openssl-users@openssl.org/msg67721.html). > > > I'll check that one tomorrow!! > > > > > > > > > On Wed, 2012-06-20 at 16:04 +0200, Jakob Bohm wrote: > > >> Look in the openssl source code in the "apps" directory. There you will > > >> find the source code for each of the openssl command line subcommands > > >> (including "openssl ocsp"). Use this as inspiration for how to do the > > >> ocsp directly in your code. > > >> > > >> For most of the openssl command line subcommands, the code in apps is > > >> just a thin wrapper around some of the documented interface calls, with > > >> most of the code in apps dealing with the command line options, loading > > >> certificates from files and other extra stuff you probably will not need > > >> if the stuff is already in memory and you only want to do one or two > > >> things, not all the possible permutations of command line options. > > >> > > >> On 6/20/2012 2:53 PM, JT Rosin wrote: > > >>> Any help on this?? > > >>> > > >>> On Mon, 2012-06-18 at 15:32 +0400, JT Rosin wrote: > > >>>> Hello to everybody!! > > >>>> > > >>>> I'm writing a client/server app with communication over SSL. Every > > >>>> setup > > >>>> can be a server or a client so I think I could benefit from using ocsp > > >>>> for validation purposes! > > >>>> > > >>>> I'm very new to openssl but i found that i can use bundled command-line > > >>>> `ocsp` application for checking certificates. Documentation says that I > > >>>> need to call it with the remote certificate as argument. > > >>>> I think I can get that certificate itself by calling > > >>>> SSL_get_peer_certificate(), though i have completely no idea how to > > >>>> pass > > >>>> the certificate to command-line app? > > >>>> > > >>>> Thanks for your help!! > > >>>> BRs, JT. > > >>>> > > Enjoy > > > > > > Jakob > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Best wishes, Alexander Komyagin
X-Git-Url: http://git/git diff --git a/recipes/openssl/openssl-1.0.1a/ocsp-support.patch b/recipes/openssl/openssl-1.0.1a/ocsp-support.patch index 610a716..0bf52de 100644 --- a/recipes/openssl/openssl-1.0.1a/ocsp-support.patch +++ b/recipes/openssl/openssl-1.0.1a/ocsp-support.patch @@ -466,10 +466,10 @@ index fe09b30..7a4b98f 100644 #endif diff --git a/crypto/x509/x509_vfy_ocsp.c b/crypto/x509/x509_vfy_ocsp.c new file mode 100644 -index 0000000..983923b +index 0000000..ee0e236 --- /dev/null +++ b/crypto/x509/x509_vfy_ocsp.c -@@ -0,0 +1,394 @@ +@@ -0,0 +1,401 @@ +/* crypto/x509/x509_vfy_ocsp.c */ +/* Copyright (C) 2012 Altell Ltd. (komya...@altell.ru) + * All rights reserved. @@ -743,6 +743,13 @@ index 0000000..983923b + return 1; + } + ++ // No OCSP for self-signed certs ++ if (sk_X509_num(ctx->chain) == 1) ++ { ++ DBG("Self-signed cert: OCSP won't be used"); ++ return 1; ++ } ++ + if (ctx->param->flags & X509_V_FLAG_OCSP_CHECK_ALL) + last = sk_X509_num(ctx->chain) - 1; + else @@ -750,7 +757,7 @@ index 0000000..983923b + // If checking CRL paths this isn't the EE certificate + if (ctx->parent) + return 1; -+ last = 0; ++ last = 1; + } + + // Note that we won't check the last cert in chain, since it makes
