Hello,
I think we found a minor Bug in OCSP Verification that is still present in
openssl-1.0.0-beta2.
In sourcefile ocsp_vfy.c, line 147:
if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
X509_check_trust is feeded with an NID, which is out of range in
subsequently called function X509_TRUST_get_by_id.
Maybe it should read:
if(X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) != X509_TRUST_TRUSTED)
Currently we have to set OCSP_NOCHECKS when doing OCSP_basic_verify,
because ocsp_check_issuer still returns zero.
Any hint?
TIA
Christian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
