[openssl.org #2855] [PATCH] Fix forward loops in Squid 3.2

Due to a typo Squid 3.2 cannot correctly handle forward loops in transparent mode. You can see it with wget -O /dev/null -S http://transparent_squid_proxy:some_port/ Attached patch fixes the issue. -- Best wishes, Alexander Komyagin --- squid-3.2.0.16/src/client_side_reply.cc 2012-03-07 06:42

[openssl.org #2417] [Enhancement] X509 verification with OCSP support

omeday extended OCSP functionality will go into upstream, though this will require additional efforts. Attached patch was tested in our company and seems to work fine. -- Best wishes, Alexander Komyagin diff --git a/apps/apps.c b/apps/apps.c index 4e11915..47f8c2f 100644 --- a/apps/apps

Re: [FEATURE] OCSP functionality patch

#x27;s certificate validity (not necessary if this certificate has > an OCSPNoCheck extension, but some don't have this extension). > > Le 08/06/2012 13:07, Alexander Komyagin a écrit : > > [...] > > How it works: > > > > 1) OCSP revocation check is done rig

Re: [FEATURE] OCSP functionality patch

ecessary if this certificate has > an OCSPNoCheck extension, but some don't have this extension). OCSP responder's certificate revocation status is only checked against CRL's. (via OCSP_basic_verify()). > > Le 08/06/2012 13:07, Alexander Komyagin a écrit : > > [...] >

[FEATURE] OCSP functionality patch

ILURE doesn't tell you much). -- Best wishes, Alexander Komyagin diff --git a/apps/apps.c b/apps/apps.c index 4e11915..47f8c2f 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2338,8 +2338,12 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_CB_ISSUER_CHECK; else if (!

OCSP development

ed in some other place (though check_revocation(X509_STORE_CTX *) seems rather logical place) or is there some other way to solve this problem? -- Best wishes, Alexander Komyagin __ OpenSSL Project http

Re: OCSP question

Can you give me an example of such application? I'll take a look at it. On Fri, 2012-05-04 at 13:14 +0200, Dr. Stephen Henson wrote: > On Thu, May 03, 2012, Alexander Komyagin wrote: > > > Thanks for the note, Stephen! I'll certainly take this into account. > > If

Re: OCSP question

hment to be fast. Good service will handle other connections in a separate thread for the sake of availability, won't it? On Thu, 2012-05-03 at 13:11 +0200, Dr. Stephen Henson wrote: > On Thu, May 03, 2012, Alexander Komyagin wrote: > > > Hi! In our project we want to perform a com

Re: Re:OCSP question

arg, arglen) \ > SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,arglen, (void > *)arg) > > > > > > At 2012-05-03 15:23:49,"Alexander Komyagin" wrote: > >Hi! In our project we want to perform a complete global switch to OCSP > >certificate verification (for a num

OCSP question

. There is only one check_revocation() function, which checks a chain against CRL's. I think that check_revocation() can be altered to use OCSP instead just like ocsp-app does. Or shall I use any other place to perform OCSP verification? Thanks! -- Best wishes