[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP in 2.4 with OpenSSL 0.9.8(zh)

Some answers inline and the solution at the end ...

Am 18.10.2018 um 15:01 schrieb William A Rowe Jr:
On Thu, Oct 18, 2018 at 7:27 AM Rainer Jung <rainer.jung@xxxxxxxxxxx <mailto:rainer.jung@xxxxxxxxxxx>> wrote:

    I get test suite failures for t/ssl/ocsp.t when the server is build
    against OpenSSL 0.9.8zh. I can't judge on whether that is expected for
    OpenSSL 0.9.8.

A very good question, and I can't either. Can you confirm your openssl
command line tool has the `openssl ocsp` mini-responder by posting the
results of an `openssl ocsp -help` invocation?

$ openssl ocsp -help
OCSP utility
Usage ocsp [options]

$ openssl version -a
OpenSSL 0.9.8zh 3 Dec 2015
built on: Tue Sep 11 11:20:47 CEST 2018
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -g -Wall -fno-strict-aliasing -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM

It might be that we never handled ocsp here.

It might also be that your $openssl resolves to a system tool which is not
in sync with the openssl tested in httpd. You may want to override that value.

Should not. I'm handling so many OpenSSL versions on the client and server side, so I'm typicaly really careful to set up the PATH etc. so the right tools are found. But even the platform openssl supports ocsp.

And may be httpd never supported the ocsp directives with 0.9.8, so our
tests for the micro responder and the version of httpd alone are not sufficient.

Found it: OpenSSL 0.9.8 doesn't allow "ocsp -reqin -" which is used by the ocsp.pl script in the test suite. Reading from stdin works in 1.0.2 but throws the following error in 0.9.8:

Error Opening OCSP request file
3487:error:02001002:system library:fopen:No such file or directory:bss_file.c:124:fopen('-','rb')
3487:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:127:

It also does not work in 1.0.1, so our OCSP tests should not run for OpenSSL < 1.0.2 (or we must fix the perl script by using a tmp file).