Updated details. If we do compare the two requests (one failing because of "not
enough data", one working fine), there are obvious differences in receiving the
response.
Working fine:
[Tue Jul 07 14:32:24 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140]
sending request to OCSP responder
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140]
OCSP response header: Date: Tue, 07 Jul 2009 13:32:52 GMT
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140]
OCSP response header: Server: Apache-Coyote/1.1
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140]
OCSP response header: Content-Type: application/ocsp-response
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140]
OCSP response header: Content-Length: 1585
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140]
OCSP response header: Connection: close
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140]
OCSP response: got 1585 bytes, 1585 total
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(258): [client 10.200.48.140]
MWDE/nm: OCSP response in data: 0\x82\x06-\n\x01
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(234): [client 10.200.48.140]
OCSP response: got EOF
Failing:
[Tue Jul 07 14:38:23 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154]
sending request to OCSP responder
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154]
OCSP response header: Date: Tue, 07 Jul 2009 13:38:51 GMT
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154]
OCSP response header: content-type: application/ocsp-response
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154]
OCSP response header: content-length: 1212
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154]
OCSP response header: Connection: close
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154]
OCSP response: got EOF
[Tue Jul 07 14:38:24 2009] [error] SSL Library Error: error:0D06B08E:asn1
encoding routines:ASN1_D2I_READ_BIO:not enough data
[Tue Jul 07 14:38:24 2009] [error] [client 172.30.64.154] failed to decode OCSP
response data
This actually looks like we do not receive any response data except headers.
The code branch, where we print out the response data is not even called,
because the receive-bucket seems to be empty after the headers have been read
out (Apache/mod_ssl/ssl_util_ocsp.c, "while (!APR_BRIGADE_EMPTY(bb))" -->
copies from bb to bio).
What disturbes me: Doing the same request from the same system with a generic
OCSP-client (Java-based, using Bouncycastle-lib) works fine ("OCSP Response:
GOOD").
Any ideas?
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
________________________________________
Von: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] im
Auftrag von Dr. Stephen Henson [st...@openssl.org]
Gesendet: Freitag, 3. Juli 2009 18:39
An: openssl-users@openssl.org
Betreff: Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
