osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1843478 - /httpd/test/framework/trunk/t/ssl/ocsp.t


Dennis, just to confirm ...  is this build ocsp enabled, or entirely absent and yet presenting the ocsp help in absence of the feature?

On Sun, Oct 14, 2018 at 4:38 PM Dennis Clarke <dclarke@xxxxxxxxxxxxx> wrote:
On 10/14/2018 05:14 PM, Rainer Jung wrote:
> Am 14.10.2018 um 22:58 schrieb William A Rowe Jr:
>> On Sun, Oct 14, 2018 at 3:50 PM Rainer Jung <rainer.jung@xxxxxxxxxxx
>> <mailto:rainer.jung@xxxxxxxxxxx>> wrote:
>>
>>
>>     And Jim already set "With 1.1.1, both return 1, but so what, we know
>>     that it has oscp."
>>
>>
>> That, of course, is nonsense.
>>
>> OpenSSL is malleable... with numerous no-{feature} choice, we really
>> shouldn't
>> presume presence of features by OpenSSL version. Otherwise, why wouldn't
>> we simply use a regex against `openssl version`?
>
> Agreed, looking at the code it seems that starting with 1.1.0 (I only
> checked 1.1.0i) ocsp can be disabled with no-ocsp.
>

As a red herring that illustrates how oddball the situation could get :

$ /usr/sfw/bin/openssl version 2>&1 | cut -f1 -d\(
OpenSSL 0.9.7d 17 Mar 2004

$ /usr/sfw/bin/openssl ocsp > /dev/null
OCSP utility
Usage ocsp [options]
where options are
-out file          output filename
-issuer file       issuer certificate
-cert file         certificate to check
-serial n          serial number to check
-signer file       certificate to sign OCSP request with
-signkey file      private key to sign OCSP request with
-sign_other file   additional certificates to include in signed request
-no_certs          don't include any certificates in signed request
-req_text          print text form of request
-resp_text         print text form of response
-text              print text form of request and response
-reqout file       write DER encoded OCSP request to "file"
-respout file      write DER encoded OCSP reponse to "file"
-reqin file        read DER encoded OCSP request from "file"
-respin file       read DER encoded OCSP reponse from "file"
-nonce             add OCSP nonce to request
-no_nonce          don't add OCSP nonce to request
-url URL           OCSP responder URL
-host host:n       send OCSP request to host on port n
-path              path to use in OCSP request
-CApath dir        trusted certificates directory
-CAfile file       trusted certificates file
-VAfile file       validator certificates file
-validity_period n maximum validity discrepancy in seconds
-status_age n      maximum status age in seconds
-noverify          don't verify response at all
-verify_other file additional certificates to search for signer
-trust_other       don't verify additional certificates
-no_intern         don't search certificates contained in response for
signer
-no_signature_verify don't check signature on response
-no_cert_verify    don't check signing certificate
-no_chain          don't chain verify response
-no_cert_checks    don't do additional checks on signing certificate
-port num                port to run responder on
-index file      certificate status index file
-CA file                 CA certificate
-rsigner file    responder certificate to sign responses with
-rkey file       responder key to sign responses with
-rother file     other certificates to include in response
-resp_no_certs     don't include any certificates in response
-nmin n          number of minutes before next update
-ndays n                 number of days before next update
-resp_key_id       identify reponse by signing certificate key ID
-nrequest n        number of requests to accept (default unlimited)
Segmentation Fault(coredump)
$

So, the situation can get out of hand quickly.

Dennis

ps: I am on the sidelines reading *all* of this and wondering ...