openssl ocsp(responder) cmd is giving error for ipv6

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl ocsp(responder) cmd is giving error for ipv6

perumal v
HI All, 
        I tried openssl ocsp for ipv6 and got the error message for the OCSP.

  IPv6 address with the "[]" bracket. 
--------------------------------------------------- 
openssl ocsp -url http://[2001:DB8:64:FF9B:0:0:A0A:285E]:8090/ocsp-100/ -issuer /etc/cert/ipsec/cert0/ca.crt -CAfile /etc/cert/ipsec/cert0/ca.crt -cert /etc/cert/ipsec/cert0/cert.crt
Error creating connect BIO
140416130504448:error:20088081:BIO routines:BIO_parse_hostserv:ambiguous host or service:crypto/bio/b_addr.c:547:

IPv6 address without the "[]" bracket.
--------------------------------------------------
openssl ocsp -url http://2001:DB8:64:FF9B:0:0:A0A:285E:8090/ocsp-100/ -issuer /etc/cert/ipsec/cert0/ca.crt -CAfile /etc/cert/ipsec/cert0/ca.crt -cert /etc/cert/ipsec/cert0/cert.crt
Error connecting BIO
Error querying OCSP responder

i am using openssl version : openssl version
OpenSSL 1.1.1h  22 Sep 2020

Can anybody help me to find out if it is the correct way to use it?. 

Thanks,
Perumal.
 
Reply | Threaded
Open this post in threaded view
|

RE: openssl ocsp(responder) cmd is giving error for ipv6

Michael Wojcik
> From: openssl-users <[hidden email]> On Behalf Of perumal v
> Sent: Monday, 2 November, 2020 07:57

> I tried openssl ocsp for ipv6 and got the error message for the OCSP.

> openssl ocsp -url http://[2001:DB8:64:FF9B:0:0:A0A:285E]:8090/ocsp-100/ -issuer ...
> Error creating connect BIO
> 140416130504448:error:20088081:BIO routines:BIO_parse_hostserv:ambiguous host or
> service:crypto/bio/b_addr.c:547:

A quick look at the code suggests this is a bug in OpenSSL. OCSP_parse_url removes the square brackets from a literal IPv6 address in the URL, but BIO_parse_hostserv requires they be present. But I didn't look closely, so I'm not entirely sure that's the issue.

> IPv6 address without the "[]" bracket.

The square brackets are required by the URL specification. There's no point testing without them.

--
Michael Wojcik
Reply | Threaded
Open this post in threaded view
|

Re: openssl ocsp(responder) cmd is giving error for ipv6

perumal v
HI, 
         it started working after modification in OCSP_parse_url 
         change is highlighted below and basically keeping [] brackets for ipv6 :
   
OCSP_parse_url   
  p = host;
    if (host[0] == '[') {
        /* ipv6 literal */
//        host++; 
        p = strchr(host, ']');
        if (!p)
            goto parse_err;
 //       *p = '\0';
        p++;
    }
   Is this the correct way to do so? 

Thanks for your help Michael.

Thanks
Perumal

On Tue, Nov 3, 2020 at 8:40 PM Michael Wojcik <[hidden email]> wrote:
> From: openssl-users <[hidden email]> On Behalf Of perumal v
> Sent: Monday, 2 November, 2020 07:57

> I tried openssl ocsp for ipv6 and got the error message for the OCSP.

> openssl ocsp -url http://[2001:DB8:64:FF9B:0:0:A0A:285E]:8090/ocsp-100/ -issuer ...
> Error creating connect BIO
> 140416130504448:error:20088081:BIO routines:BIO_parse_hostserv:ambiguous host or
> service:crypto/bio/b_addr.c:547:

A quick look at the code suggests this is a bug in OpenSSL. OCSP_parse_url removes the square brackets from a literal IPv6 address in the URL, but BIO_parse_hostserv requires they be present. But I didn't look closely, so I'm not entirely sure that's the issue.

> IPv6 address without the "[]" bracket.

The square brackets are required by the URL specification. There's no point testing without them.

--
Michael Wojcik
Reply | Threaded
Open this post in threaded view
|

RE: openssl ocsp(responder) cmd is giving error for ipv6

Michael Wojcik
> From: perumal v <[hidden email]>
> Sent: Wednesday, 4 November, 2020 02:13

> change is highlighted below and basically keeping [] brackets for ipv6 :
>
> OCSP_parse_url
>  p = host;
>    if (host[0] == '[') {
>        /* ipv6 literal */
> //        host++;
>        p = strchr(host, ']');
>        if (!p)
>            goto parse_err;
> //       *p = '\0';
>        p++;
>    }
>   Is this the correct way to do so?

Based on my very cursory investigation, that looks right to me, but I don't know where else OCSP_parse_url might be used, and whether anything else depends on the existing semantics of removing the brackets. Someone should take a closer look.

You could open an issue in GitHub and do a pull request for your change, to make your suggestion official.

--
Michael Wojcik