Bug 987532 - ocsp utility doesn't tolerate critical id-pkix-ocsp-no-check extension
ocsp utility doesn't tolerate critical id-pkix-ocsp-no-check extension
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssl (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
Blocks: 1378880
  Show dependency treegraph
Reported: 2013-07-23 11:20 EDT by Hubert Kario
Modified: 2016-09-23 11:04 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1378880 (view as bug list)
Last Closed: 2016-09-23 11:04:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Hubert Kario 2013-07-23 11:20:13 EDT
Description of problem:
If the delegated OCSP responder has id-pkix-ocsp-nocheck extension specified and marked as critical, the ocsp response verification check fails.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a PKI structure with separate OCSP server and leaf certificates
2. Start ocsp responder with the certificate
3. Try to verify any certificate using openssl ocsp

Actual results:
Response Verify Failure
140558360512352:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unhandled critical extension
certs/ca_cert.pem: good
        This Update: Jul 23 15:12:40 2013 GMT

Response verify OK
certs/ca_cert.pem: good
        This Update: Jul 23 15:12:40 2013 GMT

Additional info:
Comment 2 Tomas Mraz 2013-07-24 03:31:32 EDT
This bug and similar bugs in the OCSP response verification should be always tested first with the latest upstream released version. If it is present there, it should be reported to upstream RT - rt@openssl.org. Unfortunately due to other projects I won't have time to write patches for this in the near future.
Comment 3 RHEL Product and Program Management 2013-10-13 23:03:23 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 8 RHEL Product and Program Management 2016-09-23 11:04:34 EDT
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.