Opened 10 years ago
Closed 10 years ago
#450 closed Bug / Defect (fixed)
OCSP_check doesn't verify OCSP responses correctly
| Reported by: | hkario | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.3.5 |
| Component: | Contrib | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | ocsp, certificate verification, certificate revocation |
| Cc: |
Description
The contrib/OCSP_check/OCSP_check.sh script doesn't check if the signature on the
ocsp response was correct or signed with a trusted CA.
In other words, following output from openssl ocsp will be accepted as trustworthy:
Response Verify Failure
140447426414464:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:self signed certificate
server/cert.pem: good
This Update: Sep 23 12:13:19 2014 GMT
Next Update: Sep 24 12:13:19 2014 GMT
It also doesn't check if the dates are new enough for OpenSSL, in cases like this ocsp tool will report:
Response verify OK
ca/cert.pem: WARNING: Status times invalid.
140059207657344:error:2707307F:OCSP routines:OCSP_check_validity:status too old:ocsp_cl.c:338:
good
This Update: Mar 24 21:13:01 2014 GMT
Next Update: Sep 24 12:13:01 2014 GMT
Note that both "verify OK" and "good" status are reported, so slight change in timing or buffering of output can cause it to be accepted.
Pull request with fixes at github:
https://github.com/OpenVPN/openvpn/pull/17
All versions of OCSP_check.sh are affected (that means, all released since 2010-04-27)
Change History (1)
comment:1 Changed 10 years ago by
| Component: | Generic / unclassified → Contrib |
|---|---|
| Milestone: | → release 2.3.5 |
| Resolution: | → fixed |
| Status: | new → closed |
Thanks for reporting and supplying patches. Your patches have been applied to the master and release/2.3 branches.
See:
http://thread.gmane.org/gmane.network.openvpn.devel/9054