From: Massimiliano P. <pa...@cs...> - 2006-04-24 09:47:19
|
Guillaume Tamboise wrote: [...] > If I read ocsp_response.c correctly, line 148 attempts to set the > invalidity date in the OCSP response just because there are extensions > in the CRL. It is not looking specifically for the extension "Invalidity > Date" in the CRL: [...] > As a result, OCSP returns a field for "Invalidity Date" but with an > empty content. Cisco IOS considers this response as invalid, and here I > am (the OpenSSL OCSP client does not seem to care). You are right, I added the check before adding the extension, this should prevent the adding of the invalidity date with empty value. [...] > BTW, it is too bad that the status that OCSPd returns (REVOKED, unknown > or VALID) is only reachable through DEBUG. I definitely have an interest > in a configuration flags that would enable logging of REVOKED and/or > VALID and/or unknown responses. I fixed this by reporting the status of a certificate when the verbose is used (not only in DEBUG mode). I attach the ocsp_response.c modified file, try it and, if it works properly, we'll make a new fix release for the OCSP (maybe the 1.1.1). Let me know, -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] pa...@cs... pro...@op... Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 062 Work Phone: +1 (603) 646-9226 --o------------------------------------------------------------------------ |