https://bz.apache.org/bugzilla/show_bug.cgi?id=62221
Bug ID: 62221
Summary: OCSP response processing uses always the first entry
in the response
Product: Tomcat Native
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Library
Assignee: dev@tomcat.apache.org
Reporter: dirk.st...@dachpc.com
Target Milestone: ---
The OCSP revocation check in Tomcat native does always choose the first entry
in the response from the OCSP responder. The following line in the code is
responsible for this selection:
ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */
in /native/src/sslutils.c (from what I can tell all versions, that include this
feature)
However we experienced weird behaviour with the OCSP revocation check, since
our PKI uses pre-produced (and signed) responses, which usually persist of
multiple certificate entries (for further performance optimizations I guess,
unfortunately I have no insight there).
Checking the OCSP RFC (https://tools.ietf.org/html/rfc6960) I don't see
anything there suggesting, that this is incorrect behaviour of the OCSP
responder.
Unfortunately this leads to unpredictable behaviour of the Tomcat and renders
the revocation check practically useless in this case.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
