[openssl.org #2571] OCSP send request fails if OCSP server with vhost or reverse proxy

Carlos Velasco via RT Tue, 26 Jul 2011 01:06:14 -0700

Hello,

Checking a certificate using ocsp, example:
openssl ocsp -CAfile CA.cert -issuer CA.cert -cert test.cert -url
http://ocspserver:port


Fails if remote OCSP server is using virtual host (vhost), like a
reverse proxy leading to the real OCSP server.

The problem is that openssl check does not include a HOST header in the
HTTP request.

I took some info from Apache httpd project (modules/ssl/ssl_util_ocsp.c)
and have made a quick patch against 1.0.0d that include the HOST header.
I tested it and works. Find it attached.

Regards,
Carlos Velasco

diff -ur openssl-1.0.0d/apps/ocsp.c openssl-1.0.0d-new/apps/ocsp.c
--- openssl-1.0.0d/apps/ocsp.c	2009-09-30 23:41:51.000000000 +0200
+++ openssl-1.0.0d-new/apps/ocsp.c	2011-07-23 23:30:11.363476326 +0200
@@ -113,7 +113,7 @@
 static BIO *init_responder(char *port);
 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *host, char *path, char *port,
 				STACK_OF(CONF_VALUE) *headers,
 				OCSP_REQUEST *req, int req_timeout);
 
@@ -1273,7 +1273,7 @@
 	return 1;
 	}
 
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *host, char *path, char *port,
 				STACK_OF(CONF_VALUE) *headers,
 				OCSP_REQUEST *req, int req_timeout)
 	{
@@ -1317,7 +1317,7 @@
 		}
 
 
-	ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
+	ctx = OCSP_sendreq_new(cbio, host, path, port, NULL, -1);
 	if (!ctx)
 		return NULL;
 
@@ -1407,7 +1407,7 @@
 		sbio = BIO_new_ssl(ctx, 1);
 		cbio = BIO_push(sbio, cbio);
 		}
-	resp = query_responder(err, cbio, path, headers, req, req_timeout);
+	resp = query_responder(err, cbio, host, path, port, headers, req, req_timeout);
 	if (!resp)
 		BIO_printf(bio_err, "Error querying OCSP responsder\n");
 	end:
diff -ur openssl-1.0.0d/crypto/ocsp/ocsp.h openssl-1.0.0d-new/crypto/ocsp/ocsp.h
--- openssl-1.0.0d/crypto/ocsp/ocsp.h	2009-09-30 23:41:52.000000000 +0200
+++ openssl-1.0.0d-new/crypto/ocsp/ocsp.h	2011-07-23 23:30:53.614143318 +0200
@@ -401,8 +401,8 @@
 
 OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
 
-OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
-OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *host, char *path, char *port, OCSP_REQUEST *req);
+OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *host, char *path, char *port, OCSP_REQUEST *req,
 								int maxline);
 int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
 void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
diff -ur openssl-1.0.0d/crypto/ocsp/ocsp_ht.c openssl-1.0.0d-new/crypto/ocsp/ocsp_ht.c
--- openssl-1.0.0d/crypto/ocsp/ocsp_ht.c	2010-10-06 20:01:23.000000000 +0200
+++ openssl-1.0.0d-new/crypto/ocsp/ocsp_ht.c	2011-07-23 23:32:17.947450740 +0200
@@ -151,10 +151,10 @@
 	return 1;
 	}
 
-OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
+OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *host, char *path, char *port, OCSP_REQUEST *req,
 								int maxline)
 	{
-	static const char post_hdr[] = "POST %s HTTP/1.0\r\n";
+	static const char post_hdr[] = "POST %s HTTP/1.0\r\nHost: %s:%s\r\n";
 
 	OCSP_REQ_CTX *rctx;
 	rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
@@ -172,7 +172,7 @@
 	if (!path)
 		path = "/";
 
-        if (BIO_printf(rctx->mem, post_hdr, path) <= 0)
+        if (BIO_printf(rctx->mem, post_hdr, path, host, port ? port : "80") <= 0)
 		return 0;
 
 	if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
@@ -482,13 +482,13 @@
 
 /* Blocking OCSP request handler: now a special case of non-blocking I/O */
 
-OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *host, char *path, char *port, OCSP_REQUEST *req)
 	{
 	OCSP_RESPONSE *resp = NULL;
 	OCSP_REQ_CTX *ctx;
 	int rv;
 
-	ctx = OCSP_sendreq_new(b, path, req, -1);
+	ctx = OCSP_sendreq_new(b, host, port, path, req, -1);
 
 	do
 		{
diff -ur openssl-1.0.0d/include/openssl/ocsp.h openssl-1.0.0d-new/include/openssl/ocsp.h
--- openssl-1.0.0d/include/openssl/ocsp.h	2009-09-30 23:41:52.000000000 +0200
+++ openssl-1.0.0d-new/include/openssl/ocsp.h	2011-07-23 23:30:53.614143318 +0200
@@ -401,8 +401,8 @@
 
 OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
 
-OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
-OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *host, char *path, char *port, OCSP_REQUEST *req);
+OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *host, char *path, char *port, OCSP_REQUEST *req,
 								int maxline);
 int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
 void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);

[openssl.org #2571] OCSP send request fails if OCSP server with vhost or reverse proxy

Reply via email to