Correctly handle server requests for an OCSP response - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2020-08-03 19:27:57 +0000
committer	tb <>	2020-08-03 19:27:57 +0000
commit	e9cd27a8fe1871d70e7986a755c746f3c3bfbca9 (patch)
tree	962a3586c7058b6b794528e41f330336abdf1a07 /src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
parent	2bc9beff4e7e4404b48e98e8c4bccfe464a47b90 (diff)
download	openbsd-e9cd27a8fe1871d70e7986a755c746f3c3bfbca9.tar.gz openbsd-e9cd27a8fe1871d70e7986a755c746f3c3bfbca9.tar.bz2 openbsd-e9cd27a8fe1871d70e7986a755c746f3c3bfbca9.zip

Correctly handle server requests for an OCSP response

According to RFC 8446, 4.4.2.1, a server may request that a client present an OCSP response with its certificate by sending an empty status_request extension as part of the certificate request. The current code expects a full CertificateStatus structure, which is only sent if the server sends an OCSP response with its certificate. This causes interoperability issues with Go's TLS server and with newer GnuTLS where we would abort the handshake with a decode_error alert and length mismatch error. Issue reported and diagnosed by Michael Forney Problem also found by Mikolaj Kucharski and inoguchi. ok inoguchi jsing

Diffstat (limited to 'src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: