You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OCSPDenier::ocspResponse in http/OCSPDenier.cpp contains an syntactically invalid OCSP response. OCSPResponse according to RFC 2560:
4.2.1 ASN.1 Specification of the OCSP Response
An OCSP response at a minimum consists of a responseStatus field
indicating the processing status of the prior request. If the value
of responseStatus is one of the error conditions, responseBytes are
not set.
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) is not used
sigRequired (5), --Must sign the request
unauthorized (6) --Request unauthorized
}
[...]
So instead of the string "3", the HTTP response body should contain an ASN.1 SEQUENCE, containing an ENUMERATED with the value 0x03 to be a valid OCSP response, which is a total of 5 bytes in the case of tryLater (responseBytes is not needed).
Incidentally, clients seem to ignore ASN.1 syntax errors in OCSP responses, so fixing this might not actually change client behaviour for many OCSP client implementations.
The text was updated successfully, but these errors were encountered:
OCSPDenier::ocspResponse
inhttp/OCSPDenier.cpp
contains an syntactically invalid OCSP response. OCSPResponse according to RFC 2560:So instead of the string "3", the HTTP response body should contain an ASN.1 SEQUENCE, containing an ENUMERATED with the value
0x03
to be a valid OCSP response, which is a total of 5 bytes in the case of tryLater (responseBytes is not needed).Incidentally, clients seem to ignore ASN.1 syntax errors in OCSP responses, so fixing this might not actually change client behaviour for many OCSP client implementations.
The text was updated successfully, but these errors were encountered: