Dr. Stephen Henson wrote:
On Wed, Dec 12, 2012, Walter H. wrote:
Hello,
when using
openssl ocsp ...
in a CGI skript, you must use -noverify
because without, this creates the line
Response verify OK
neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
"disappear"
so this shoots either a 500 page or an invalid OCSP response is
sent, which results in Firefox either in:
The OCSP server returned unexpected/invalid HTTP data.
(Error code: sec_error_ocsp_bad_http_response)
or in:
The response from the OCSP server was corrupted or improperly formed.
(Error code: sec_error_ocsp_malformed_response)
Wireshark was a good help to find out;
My guess from that is you're using it as a responder: there isn't much
point in having it verify its own responses: what command line options are you
using?
Also that message is sent to stderr so you should be able to redirect it.
this is the whole CGI skript
#!/bin/bash
function intro
{
OPENSSLVERSION=`openssl version`
echo -e -n "Content-type: text/plain\n\n"
echo -e -n "OCSP Interface ($OPENSSLVERSION)\n\n"
}
function invalidInput
{
intro
echo -e -n "Invalid OCSP request.\n"
}
case $REQUEST_METHOD in
"GET")
intro
;;
"POST")
if [ "$CONTENT_TYPE" == "application/ocsp-request" ]; then
OCSPFILE=`./recvocspreq`
if [ $? -eq 0 ]; then
openssl ocsp -index index.txt -VAfile ocspResponse.crt -CA
chained01CAs.crt -rsigner ocspResponse.crt -rkey ocspResponse.key -nmin
5 -resp_key_id -noverify -reqin $OCSPFILE -respout $OCSPFILE-resp
./sendocspresp $OCSPFILE-resp
rm $OCSPFILE
rm $OCSPFILE-resp
else
invalidInput
fi
else
invalidInput
fi
;;
esac
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
