OpenSSL OCSP Responder used in a CGI Skript - I found the bug

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Walter H.
Hello,

when using

openssl ocsp ...

in a CGI skript, you must use -noverify
because without, this creates the line

Response verify OK

neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
"disappear"

so this shoots either a 500 page or an invalid OCSP response is sent,
which results in Firefox either in:

The OCSP server returned unexpected/invalid HTTP data.
(Error code: sec_error_ocsp_bad_http_response)

or in:

The response from the OCSP server was corrupted or improperly formed.
(Error code: sec_error_ocsp_malformed_response)

Wireshark was a good help to find out;

Greetings from Austria,
Walter Höhlhubmer



smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Dr. Stephen Henson
On Wed, Dec 12, 2012, Walter H. wrote:

> Hello,
>
> when using
>
> openssl ocsp ...
>
> in a CGI skript, you must use -noverify
> because without, this creates the line
>
> Response verify OK
>
> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
> "disappear"
>
> so this shoots either a 500 page or an invalid OCSP response is
> sent, which results in Firefox either in:
>
> The OCSP server returned unexpected/invalid HTTP data.
> (Error code: sec_error_ocsp_bad_http_response)
>
> or in:
>
> The response from the OCSP server was corrupted or improperly formed.
> (Error code: sec_error_ocsp_malformed_response)
>
> Wireshark was a good help to find out;
>

My guess from that is you're using it as a responder: there isn't much
point in having it verify its own responses: what command line options are you
using?

Also that message is sent to stderr so you should be able to redirect it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Salz, Rich
> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line  "disappear"

Redirections happen left-to-right.  So do this:
    >/dev/null 2>&1
Or the simpler
   2>/dev/null

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Walter H.
In reply to this post by Dr. Stephen Henson
Dr. Stephen Henson wrote:

> On Wed, Dec 12, 2012, Walter H. wrote:
>
>  
>> Hello,
>>
>> when using
>>
>> openssl ocsp ...
>>
>> in a CGI skript, you must use -noverify
>> because without, this creates the line
>>
>> Response verify OK
>>
>> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
>> "disappear"
>>
>> so this shoots either a 500 page or an invalid OCSP response is
>> sent, which results in Firefox either in:
>>
>> The OCSP server returned unexpected/invalid HTTP data.
>> (Error code: sec_error_ocsp_bad_http_response)
>>
>> or in:
>>
>> The response from the OCSP server was corrupted or improperly formed.
>> (Error code: sec_error_ocsp_malformed_response)
>>
>> Wireshark was a good help to find out;
>>
>>    
>
> My guess from that is you're using it as a responder: there isn't much
> point in having it verify its own responses: what command line options are you
> using?
>
> Also that message is sent to stderr so you should be able to redirect it.
>  
this is the whole CGI skript


#!/bin/bash
function intro
{
  OPENSSLVERSION=`openssl version`
  echo -e -n "Content-type: text/plain\n\n"
  echo -e -n "OCSP Interface ($OPENSSLVERSION)\n\n"
}
function invalidInput
{
  intro
  echo -e -n "Invalid OCSP request.\n"
}
case $REQUEST_METHOD in
  "GET")
    intro
    ;;
  "POST")
    if [ "$CONTENT_TYPE" == "application/ocsp-request" ]; then
      OCSPFILE=`./recvocspreq`
      if [ $? -eq 0 ]; then    
        openssl ocsp -index index.txt -VAfile ocspResponse.crt -CA
chained01CAs.crt -rsigner ocspResponse.crt -rkey ocspResponse.key -nmin
5 -resp_key_id -noverify -reqin $OCSPFILE -respout $OCSPFILE-resp
        ./sendocspresp $OCSPFILE-resp
        rm $OCSPFILE
        rm $OCSPFILE-resp
      else
        invalidInput
      fi
    else
      invalidInput
    fi
    ;;
esac

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Walter H.
In reply to this post by Salz, Rich
Salz, Rich wrote:
>> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line  "disappear"
>>    
>
> Redirections happen left-to-right.  So do this:
>     >/dev/null 2>&1
>  
left-to-right?  outer-to-inner, I understand;
> Or the simpler
>    2>/dev/nul
ok

Thanks,
Walter

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]