62221 – OCSP response processing uses always the first entry in the response

Bug 62221 - OCSP response processing uses always the first entry in the response

Summary: OCSP response processing uses always the first entry in the response

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat Native
Classification:	Unclassified
Component:	Library (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-03-26 22:47 UTC by Dirk Stein
Modified:	2018-06-04 16:09 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Stein 2018-03-26 22:47:16 UTC

The OCSP revocation check in Tomcat native does always choose the first entry in the response from the OCSP responder. The following line in the code is responsible for this selection:
    ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */
in /native/src/sslutils.c (from what I can tell all versions, that include this feature)

However we experienced weird behaviour with the OCSP revocation check, since our PKI uses pre-produced (and signed) responses, which usually persist of multiple certificate entries (for further performance optimizations I guess, unfortunately I have no insight there).
Checking the OCSP RFC (https://tools.ietf.org/html/rfc6960) I don't see anything there suggesting, that this is incorrect behaviour of the OCSP responder.

Unfortunately this leads to unpredictable behaviour of the Tomcat and renders the revocation check practically useless in this case.

Comment 1 Dirk Stein 2018-03-26 23:05:15 UTC

Small addition, expected behaviour: Use OCSP_resp_find to find the correct certificate in the response

Comment 2 jfclere 2018-06-04 16:09:13 UTC

Fixed in trunk will in 1.2.17