[cabfpub] OpenSSL OCSP bugs

Peter Bowen pzb at amzn.com
Sat Aug 20 04:03:22 UTC 2016


We recently ran into some problems with OpenSSL's OCSP verification code and I figure others in this group might find the information useful.

In OpenSSL 1.0.2a, 1.0.1m, 0.9.8zf and earlier, OpenSSL requires that the certificate for the OCSP response signer is directly signed by a trusted root or that the OCSPBasicResponse includes the cross-certificates necessary to build a path back to a trusted root.  It will search the certificates sent by a TLS server in the ServerCertificate message for the signer certificate but will not use any cross-certificates sent in the TLS ServerCertificate response.

In OpenSSL 1.0.2b, 1.0.1n, 0.9.8zg and later, OpenSSL still requires a path back to a trusted root but will use cross-certificates from the ServerCertificate message when there is a certs member of the BasicOCSPResponse.  When the certs member is missing it has the same behaviour as older OpenSSL versions.  In these versions a zero length sequence will trigger the desirable behaviour.

This means that CAs that are using non-delegated signing for OCSP responses (e.g. the CA key signs the response) will run into issues if they are skipping the optional certs attribute in the BasicOCSPResponse unless they are sure that CA is is signed by a trusted root.  For example, if the chain is EndEntity -> Server CA -> Root G2 -> Root G1 and the client does not have Root G2 in its trust store, then OCSP validation will fail if there is no certs attribute.

Note that all of this is not covered in the OCSP specifications in RFC 2560 and 6960.  OpenSSL basically doesn't implement the simple direct signing method, instead it performs chain validation even on responses signed by the CA.

I hope that this is helpful to at least a few people.

Thanks,
Peter


More information about the Public mailing list