As I mentioned in the comments I included, a trailing slash, while totally *valid*, causes problems with MS-CAPI. MS-CAPI likes to use HTTP GET for its OCSP requests, and it seems to like to add an extra slash even if it's not needed. I'm not finding anything online documenting this online, but have a look at some certificates from commercial CAs - none of them have trailing slashes. I'll dig up some request logs from my server that show the problem.
On Fri, Dec 13, 2013 at 5:20 AM, Martin Hecht <[email protected]> wrote: > Hi, > > shouldn't the trailing slash be allowed? In RFC 2560 section 3.1 it reads: > The value of the accessLocation field in the subject certificate defines > the transport (e.g. HTTP) used to access the OCSP responder and may > contain other transport dependent information (e.g. a URL). > > and in the references (section 6) RFC 1738 is mentioned for [URL], and > there, in section 3.3 "HTTP" it reads: > An HTTP URL takes the form: > http://<host>:<port>/<path>?<searchpart> > [...] If neither <path> nor <searchpart> is present, the "/" may also > be omitted. > > To my understanding there is nothing wrong, if there is a trailing > (single) slash. It is the separator between <host> with (optional) > :<port> and an empty <path> value. It MAY be omitted, but it may also be > there, right? > > Please correct me if I am missing something. > > best regards, > Martin > > > On 10.12.2013 01:34, Ryan Castellucci wrote: >> I've discovered that having a trailing slash in an OCSP URL can cause >> problems with MS-CAPI. This is a minimal patch to make the example >> non-broken. I haven't added any additional text to the documentation >> to explain this because all that was there in the first place was the >> example. Please let me know if this needs to be more extensively >> documented. >> >> I've CC'd [email protected] is requested in the readme, however this >> is a trivial documentation change which doesn't touch any encryption >> code. >> >> diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod >> index 06d8467..8e3d48a 100644 >> --- a/doc/apps/x509v3_config.pod >> +++ b/doc/apps/x509v3_config.pod >> @@ -220,7 +220,7 @@ certain values are meaningful, for example OCSP >> and caIssuers. >> >> Example: >> >> - authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ >> + authorityInfoAccess = OCSP;URI:http://ocsp.my.host >> authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List [email protected] >> Automated List Manager [email protected] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
