effectivelyu providing a limitless OCSP staple is kind of stupid - you may as well simply *not staple*
On Wed, Sep 6, 2017 at 8:23 AM, Bob Beck <[email protected]> wrote: > I'm not super inclined to make this "flexible" unless we see this used int > the wild, which I have not. We are more restrictive than > OpenSSL in many areas. > > On Wed, Sep 6, 2017 at 1:31 AM, Andreas Bartelt <[email protected]> wrote: > >> On 09/06/17 04:40, Bob Beck wrote: >> >>> Andreas where are you seeing this as being a real issue - who is shipping >>> out OCSP responses without a next update field? >>> >>> >> I've noticed this while playing with a local CA and a corresponding OCSP >> responder on my LAN. For openssl ocsp, the -nmin or -ndays argument is >> optional. If these arguments are not explicitly provided, the next update >> field will not be set. >> >> >> >>> >>> On Sat, Sep 2, 2017 at 11:28 AM, Andreas Bartelt <[email protected]> >>> wrote: >>> >>> ocspcheck effectively treats a missing nextUpdate like an error, i.e., it >>>> always provides a warning and no staplefile is written out. According to >>>> RFC 6960, the nextUpdate field is optional. The following patch should >>>> handle this case more gracefully and include a suitable debug message >>>> only >>>> in case -vv is specified. >>>> >>>> OK? >>>> >>>> Index: src/usr.sbin/ocspcheck/ocspcheck.c >>>> =================================================================== >>>> RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.c,v >>>> retrieving revision 1.21 >>>> diff -u -p -u -r1.21 ocspcheck.c >>>> --- src/usr.sbin/ocspcheck/ocspcheck.c 8 May 2017 20:15:34 -0000 >>>> 1.21 >>>> +++ src/usr.sbin/ocspcheck/ocspcheck.c 2 Sep 2017 17:09:00 -0000 >>>> @@ -368,7 +368,7 @@ validate_response(char *buf, size_t size >>>> { >>>> ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, >>>> *nextupd = >>>> NULL; >>>> const unsigned char **p = (const unsigned char **)&buf; >>>> - int status, cert_status=0, crl_reason=0; >>>> + int status, cert_status=0, crl_reason=0, next_update=0; >>>> time_t now, rev_t = -1, this_t, next_t; >>>> OCSP_RESPONSE *resp; >>>> OCSP_BASICRESP *bresp; >>>> @@ -447,12 +447,14 @@ validate_response(char *buf, size_t size >>>> return 0; >>>> } >>>> if ((next_t = parse_ocsp_time(nextupd)) == -1) { >>>> - warnx("unable to parse next update time in OCSP reply"); >>>> - return 0; >>>> + if (verbose >= 2) >>>> + fprintf(stderr, "Optional timestamp for next >>>> update not included in OCSP reply\n"); >>>> } >>>> + else >>>> + next_update = 1; >>>> >>>> /* Don't allow this update to precede next update */ >>>> - if (this_t >= next_t) { >>>> + if (next_update == 1 && this_t >= next_t) { >>>> warnx("Invalid OCSP reply: this update >= next >>>> update"); >>>> return 0; >>>> } >>>> @@ -481,7 +483,7 @@ validate_response(char *buf, size_t size >>>> /* >>>> * Check that next update is still valid >>>> */ >>>> - if (next_t < now - JITTER_SEC) { >>>> + if (next_update == 1 && next_t < now - JITTER_SEC) { >>>> warnx("Invalid OCSP reply: reply has expired (%s)", >>>> ctime(&next_t)); >>>> return 0; >>>> @@ -489,7 +491,8 @@ validate_response(char *buf, size_t size >>>> >>>> vspew("OCSP response validated from %s\n", host); >>>> vspew(" This Update: %s", ctime(&this_t)); >>>> - vspew(" Next Update: %s", ctime(&next_t)); >>>> + if (next_update == 1) >>>> + vspew(" Next Update: %s", ctime(&next_t)); >>>> return 1; >>>> } >>>> >>>> >>>> >>> >> >
