Opened 6 years ago

Closed 6 years ago

#450 closed Bug / Defect (fixed)

OCSP_check doesn't verify OCSP responses correctly

Reported by: hkario Owned by:
Priority: major Milestone: release 2.3.5
Component: Contrib Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: ocsp, certificate verification, certificate revocation
Cc:

Description

The contrib/OCSP_check/OCSP_check.sh script doesn't check if the signature on the
ocsp response was correct or signed with a trusted CA.

In other words, following output from openssl ocsp will be accepted as trustworthy:
Response Verify Failure
140447426414464:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:self signed certificate
server/cert.pem: good

This Update: Sep 23 12:13:19 2014 GMT
Next Update: Sep 24 12:13:19 2014 GMT

It also doesn't check if the dates are new enough for OpenSSL, in cases like this ocsp tool will report:

Response verify OK
ca/cert.pem: WARNING: Status times invalid.
140059207657344:error:2707307F:OCSP routines:OCSP_check_validity:status too old:ocsp_cl.c:338:
good

This Update: Mar 24 21:13:01 2014 GMT
Next Update: Sep 24 12:13:01 2014 GMT

Note that both "verify OK" and "good" status are reported, so slight change in timing or buffering of output can cause it to be accepted.

Pull request with fixes at github:
https://github.com/OpenVPN/openvpn/pull/17

All versions of OCSP_check.sh are affected (that means, all released since 2010-04-27)

Change History (1)

comment:1 Changed 6 years ago by Steffan Karger

Component: Generic / unclassifiedContrib
Milestone: release 2.3.5
Resolution: fixed
Status: newclosed

Thanks for reporting and supplying patches. Your patches have been applied to the master and release/2.3 branches.

See:
http://thread.gmane.org/gmane.network.openvpn.devel/9054

Note: See TracTickets for help on using tickets.