Opened 10 years ago

Closed 10 years ago

#450 closed Bug / Defect (fixed)

OCSP_check doesn't verify OCSP responses correctly

Reported by: hkario Owned by:
Priority: major Milestone: release 2.3.5
Component: Contrib Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: ocsp, certificate verification, certificate revocation


The contrib/OCSP_check/ script doesn't check if the signature on the
ocsp response was correct or signed with a trusted CA.

In other words, following output from openssl ocsp will be accepted as trustworthy:
Response Verify Failure
140447426414464:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:self signed certificate
server/cert.pem: good

This Update: Sep 23 12:13:19 2014 GMT
Next Update: Sep 24 12:13:19 2014 GMT

It also doesn't check if the dates are new enough for OpenSSL, in cases like this ocsp tool will report:

Response verify OK
ca/cert.pem: WARNING: Status times invalid.
140059207657344:error:2707307F:OCSP routines:OCSP_check_validity:status too old:ocsp_cl.c:338:

This Update: Mar 24 21:13:01 2014 GMT
Next Update: Sep 24 12:13:01 2014 GMT

Note that both "verify OK" and "good" status are reported, so slight change in timing or buffering of output can cause it to be accepted.

Pull request with fixes at github:

All versions of are affected (that means, all released since 2010-04-27)

Change History (1)

comment:1 Changed 10 years ago by Steffan Karger

Component: Generic / unclassifiedContrib
Milestone: release 2.3.5
Resolution: fixed
Status: newclosed

Thanks for reporting and supplying patches. Your patches have been applied to the master and release/2.3 branches.


Note: See TracTickets for help on using tickets.