Bug 62221 - OCSP response processing uses always the first entry in the response
Summary: OCSP response processing uses always the first entry in the response
Alias: None
Product: Tomcat Native
Classification: Unclassified
Component: Library (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2018-03-26 22:47 UTC by Dirk Stein
Modified: 2018-06-04 16:09 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Stein 2018-03-26 22:47:16 UTC
The OCSP revocation check in Tomcat native does always choose the first entry in the response from the OCSP responder. The following line in the code is responsible for this selection:
    ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */
in /native/src/sslutils.c (from what I can tell all versions, that include this feature)

However we experienced weird behaviour with the OCSP revocation check, since our PKI uses pre-produced (and signed) responses, which usually persist of multiple certificate entries (for further performance optimizations I guess, unfortunately I have no insight there).
Checking the OCSP RFC (https://tools.ietf.org/html/rfc6960) I don't see anything there suggesting, that this is incorrect behaviour of the OCSP responder.

Unfortunately this leads to unpredictable behaviour of the Tomcat and renders the revocation check practically useless in this case.
Comment 1 Dirk Stein 2018-03-26 23:05:15 UTC
Small addition, expected behaviour: Use OCSP_resp_find to find the correct certificate in the response
Comment 2 jfclere 2018-06-04 16:09:13 UTC
Fixed in trunk will in 1.2.17