You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/03/26 22:47:16 UTC

[Bug 62221] New: OCSP response processing uses always the first entry in the response

https://bz.apache.org/bugzilla/show_bug.cgi?id=62221

            Bug ID: 62221
           Summary: OCSP response processing uses always the first entry
                    in the response
           Product: Tomcat Native
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Library
          Assignee: dev@tomcat.apache.org
          Reporter: dirk.stein@dachpc.com
  Target Milestone: ---

The OCSP revocation check in Tomcat native does always choose the first entry
in the response from the OCSP responder. The following line in the code is
responsible for this selection:
    ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */
in /native/src/sslutils.c (from what I can tell all versions, that include this
feature)

However we experienced weird behaviour with the OCSP revocation check, since
our PKI uses pre-produced (and signed) responses, which usually persist of
multiple certificate entries (for further performance optimizations I guess,
unfortunately I have no insight there).
Checking the OCSP RFC (https://tools.ietf.org/html/rfc6960) I don't see
anything there suggesting, that this is incorrect behaviour of the OCSP
responder.

Unfortunately this leads to unpredictable behaviour of the Tomcat and renders
the revocation check practically useless in this case.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62221] OCSP response processing uses always the first entry in the response

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62221

jfclere <jf...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from jfclere <jf...@gmail.com> ---
Fixed in trunk will in 1.2.17

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62221] OCSP response processing uses always the first entry in the response

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62221

--- Comment #1 from Dirk Stein <di...@dachpc.com> ---
Small addition, expected behaviour: Use OCSP_resp_find to find the correct
certificate in the response

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org