Hi, shouldn't the trailing slash be allowed? In RFC 2560 section 3.1 it reads: The value of the accessLocation field in the subject certificate defines the transport (e.g. HTTP) used to access the OCSP responder and may contain other transport dependent information (e.g. a URL).
and in the references (section 6) RFC 1738 is mentioned for [URL], and there, in section 3.3 "HTTP" it reads: An HTTP URL takes the form: http://<host>:<port>/<path>?<searchpart> [...] If neither <path> nor <searchpart> is present, the "/" may also be omitted. To my understanding there is nothing wrong, if there is a trailing (single) slash. It is the separator between <host> with (optional) :<port> and an empty <path> value. It MAY be omitted, but it may also be there, right? Please correct me if I am missing something. best regards, Martin On 10.12.2013 01:34, Ryan Castellucci wrote: > I've discovered that having a trailing slash in an OCSP URL can cause > problems with MS-CAPI. This is a minimal patch to make the example > non-broken. I haven't added any additional text to the documentation > to explain this because all that was there in the first place was the > example. Please let me know if this needs to be more extensively > documented. > > I've CC'd [email protected] is requested in the readme, however this > is a trivial documentation change which doesn't touch any encryption > code. > > diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod > index 06d8467..8e3d48a 100644 > --- a/doc/apps/x509v3_config.pod > +++ b/doc/apps/x509v3_config.pod > @@ -220,7 +220,7 @@ certain values are meaningful, for example OCSP > and caIssuers. > > Example: > > - authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ > + authorityInfoAccess = OCSP;URI:http://ocsp.my.host > authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
