After hours of desperately trying to implement some kind of working ocsp check (using the code from apps/ocsp.c) in the verification callback i finally gave up and applied Alexander Konyagin's patch (found a new message from him with updated one) to 1.0.1c sources that i previously downloaded.
I just placed a call to X509_STORE_set_flags(my_ctx, X509_V_FLAG_OCSP_CHECK_ALL) before SSL_connect() and everything worked like a charm!! :-) (strangely, with X509_V_FLAG_OCSP_CHECK my ocsp responder was never queried - seems like a bug or I haven't catch up smth). i could even use ocsp without adding AIA extension to my certificates! (used X509_set_cert_ocsp_opt() for that). I already e-mailed this guy about X509_V_FLAG_OCSP_CHECK_ALL/X509_V_FLAG_OCSP_CHECK flag, but he hasn't replied yet. Do you think that his patch will also work with forthcoming releases of openssl?? On Wed, 2012-06-20 at 23:47 +0200, jb-open...@wisemo.com wrote: > Of cause you shouldn't write your own OCSP code. OCSP is already part of > the OpenSSL library and the file apps/ocsp.c shows how to use it. > > Alexander Konyagin's patch from 12 days ago doesn't seem to have been > reviewed or commented by anybody else, so I am not sure if it is because > he also posted it on a dev list, if it is so perfect even the top experts > had no comments, if they are still testing it or if they reject it, I > simply don't know at this time. Anyway, as his patch extends the OpenSSL > API, I wouldn't use it until it has been integrated and adapted for an > official OpenSSL release, as this ensures compatibility with future code > updates. > > apps/ocsp.c is released code though, and the OpenSSL functions it calls > are official released API functions, but it doesn't hook itself into the > regular certificate verification, which seems to be what Alexander's patch > adds. > > On 20-06-2012 17:19, JT Rosin wrote: > > hi, Jakob! Though it may work, i personally don't think that it's a good > > idea to implement ocsp code myself! Not only because I'm a lazy guy, but > > mainly for practical reasons :-) > > > > In google I found that some guy had already made a patch that brings > > some kind of ocsp client functionality to openssl > > (http://www.mail-archive.com/openssl-users@openssl.org/msg67721.html). > > I'll check that one tomorrow!! > > > > > > On Wed, 2012-06-20 at 16:04 +0200, Jakob Bohm wrote: > >> Look in the openssl source code in the "apps" directory. There you will > >> find the source code for each of the openssl command line subcommands > >> (including "openssl ocsp"). Use this as inspiration for how to do the > >> ocsp directly in your code. > >> > >> For most of the openssl command line subcommands, the code in apps is > >> just a thin wrapper around some of the documented interface calls, with > >> most of the code in apps dealing with the command line options, loading > >> certificates from files and other extra stuff you probably will not need > >> if the stuff is already in memory and you only want to do one or two > >> things, not all the possible permutations of command line options. > >> > >> On 6/20/2012 2:53 PM, JT Rosin wrote: > >>> Any help on this?? > >>> > >>> On Mon, 2012-06-18 at 15:32 +0400, JT Rosin wrote: > >>>> Hello to everybody!! > >>>> > >>>> I'm writing a client/server app with communication over SSL. Every setup > >>>> can be a server or a client so I think I could benefit from using ocsp > >>>> for validation purposes! > >>>> > >>>> I'm very new to openssl but i found that i can use bundled command-line > >>>> `ocsp` application for checking certificates. Documentation says that I > >>>> need to call it with the remote certificate as argument. > >>>> I think I can get that certificate itself by calling > >>>> SSL_get_peer_certificate(), though i have completely no idea how to pass > >>>> the certificate to command-line app? > >>>> > >>>> Thanks for your help!! > >>>> BRs, JT. > >>>> > Enjoy > > > Jakob > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
