Hello, Checking a certificate using ocsp, example: openssl ocsp -CAfile CA.cert -issuer CA.cert -cert test.cert -url http://ocspserver:port
Fails if remote OCSP server is using virtual host (vhost), like a reverse proxy leading to the real OCSP server. The problem is that openssl check does not include a HOST header in the HTTP request. I took some info from Apache httpd project (modules/ssl/ssl_util_ocsp.c) and have made a quick patch against 1.0.0d that include the HOST header. I tested it and works. Find it attached. Regards, Carlos Velasco
diff -ur openssl-1.0.0d/apps/ocsp.c openssl-1.0.0d-new/apps/ocsp.c --- openssl-1.0.0d/apps/ocsp.c 2009-09-30 23:41:51.000000000 +0200 +++ openssl-1.0.0d-new/apps/ocsp.c 2011-07-23 23:30:11.363476326 +0200 @@ -113,7 +113,7 @@ static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); -static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, +static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *host, char *path, char *port, STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); @@ -1273,7 +1273,7 @@ return 1; } -static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, +static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *host, char *path, char *port, STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout) { @@ -1317,7 +1317,7 @@ } - ctx = OCSP_sendreq_new(cbio, path, NULL, -1); + ctx = OCSP_sendreq_new(cbio, host, path, port, NULL, -1); if (!ctx) return NULL; @@ -1407,7 +1407,7 @@ sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } - resp = query_responder(err, cbio, path, headers, req, req_timeout); + resp = query_responder(err, cbio, host, path, port, headers, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responsder\n"); end: diff -ur openssl-1.0.0d/crypto/ocsp/ocsp.h openssl-1.0.0d-new/crypto/ocsp/ocsp.h --- openssl-1.0.0d/crypto/ocsp/ocsp.h 2009-09-30 23:41:52.000000000 +0200 +++ openssl-1.0.0d-new/crypto/ocsp/ocsp.h 2011-07-23 23:30:53.614143318 +0200 @@ -401,8 +401,8 @@ OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id); -OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req); -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, +OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *host, char *path, char *port, OCSP_REQUEST *req); +OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *host, char *path, char *port, OCSP_REQUEST *req, int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); diff -ur openssl-1.0.0d/crypto/ocsp/ocsp_ht.c openssl-1.0.0d-new/crypto/ocsp/ocsp_ht.c --- openssl-1.0.0d/crypto/ocsp/ocsp_ht.c 2010-10-06 20:01:23.000000000 +0200 +++ openssl-1.0.0d-new/crypto/ocsp/ocsp_ht.c 2011-07-23 23:32:17.947450740 +0200 @@ -151,10 +151,10 @@ return 1; } -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, +OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *host, char *path, char *port, OCSP_REQUEST *req, int maxline) { - static const char post_hdr[] = "POST %s HTTP/1.0\r\n"; + static const char post_hdr[] = "POST %s HTTP/1.0\r\nHost: %s:%s\r\n"; OCSP_REQ_CTX *rctx; rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX)); @@ -172,7 +172,7 @@ if (!path) path = "/"; - if (BIO_printf(rctx->mem, post_hdr, path) <= 0) + if (BIO_printf(rctx->mem, post_hdr, path, host, port ? port : "80") <= 0) return 0; if (req && !OCSP_REQ_CTX_set1_req(rctx, req)) @@ -482,13 +482,13 @@ /* Blocking OCSP request handler: now a special case of non-blocking I/O */ -OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) +OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *host, char *path, char *port, OCSP_REQUEST *req) { OCSP_RESPONSE *resp = NULL; OCSP_REQ_CTX *ctx; int rv; - ctx = OCSP_sendreq_new(b, path, req, -1); + ctx = OCSP_sendreq_new(b, host, port, path, req, -1); do { diff -ur openssl-1.0.0d/include/openssl/ocsp.h openssl-1.0.0d-new/include/openssl/ocsp.h --- openssl-1.0.0d/include/openssl/ocsp.h 2009-09-30 23:41:52.000000000 +0200 +++ openssl-1.0.0d-new/include/openssl/ocsp.h 2011-07-23 23:30:53.614143318 +0200 @@ -401,8 +401,8 @@ OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id); -OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req); -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, +OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *host, char *path, char *port, OCSP_REQUEST *req); +OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *host, char *path, char *port, OCSP_REQUEST *req, int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);