Bug 1020349 - openssl ocsp tool doesn't return 1 on receiving errors from server
Summary: openssl ocsp tool doesn't return 1 on receiving errors from server
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-17 13:36 UTC by Hubert Kario
Modified: 2013-11-08 16:47 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-08 16:47:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Hubert Kario 2013-10-17 13:36:18 UTC 
Description of problem:
When `openssl ocsp` utility receives malformed_request, internal_error, try_later, sig_required or unauthorized it does return 0 as exit code.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-21.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Start OCSP server that returns error messages
2. Try using ocsp tool to verify any certificate
3.

Actual results:
Responder Error: trylater (3)
echo $?
0

Expected results:
Responder Error: trylater (3)
echo $?
1

Additional info:
Regression from RHEL 6.5
Comment 2 Tomas Mraz 2013-11-08 16:47:58 UTC 
This is actually not a regression. The non-zero exit code marks situation when the OCSP server does not reply at all or the response is not a valid OCSP response.

In this case this is a valid response but a response indicating a problem. You need to parse the output of the ocsp command in the Responder Error.

The 1.0.0 version actually had a bug where the valid OCSP error response was not parsed correctly and the ocsp command misidentified it as malformed response.
Note You need to log in before you can comment on or make changes to this bug.