Bug #95473 for Net-SSLeay: Feature request with patch included: OCSP support

Thu May 08 14:34:49 2014 Steffen_Ullrich [...] genua.de - Ticket created

Subject:

Feature request with patch included: OCSP support

Hi, at https://github.com/noxxi/p5-io-socket-ssl/blob/ocsp/docs/net-ssley-ocsp.patch you'll find a patch against the current SVN version of Net::SSLeay, which adds support for checking the revocation status of certificates using OCSP. It has support for requesting OCSP stapling and also the necessary functionality to requesting OCSP responses from the OCSP responders specified in the certificates. The patch comes with hopefully enough documentation and also a test. It also added a TRACE function to the XS module so that one can do debugging using the $Net::SSLeay::trace variable from inside XS too. The patch is used to add OCSP handling to IO::Socket::SSL, currently only at the ocsp branch at https://github.com/noxxi/p5-io-socket-ssl/tree/ocsp but I hope that I'll release it in a few days. It would be nice if you could incorporate the patch, because it implements a feature which got just after the heartbleed attack more valuable :) Regards, Steffen

Thu May 08 17:52:36 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Fri, 09 May 2014 07:52:20 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi, Thanks for your patch. It has now been added in SVN 403 Hmmm, somehow your patch removed ASN1_TIME_free. Fixed. This seems to be an important patch. I would be happy if you would test this SVN version thoroughly and if you report it to be OK, I will make a new release of net-ssleay. Cheers. On Thursday, May 08, 2014 02:34:50 PM you wrote: Show quoted text

> Thu May 08 14:34:49 2014: Request 95473 was acted upon. > Transaction: Ticket created by SULLR > Queue: Net-SSLeay > Subject: Feature request with patch included: OCSP support > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: Steffen_Ullrich@genua.de > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > > Hi, > at > https://github.com/noxxi/p5-io-socket-ssl/blob/ocsp/docs/net-ssley-ocsp.pat > ch you'll find a patch against the current SVN version of Net::SSLeay, which > adds support for checking the revocation status of certificates using OCSP. > It has support for requesting OCSP stapling and also the necessary > functionality to requesting OCSP responses from the OCSP responders > specified in the certificates. > > The patch comes with hopefully enough documentation and also a test. It also > added a TRACE function to the XS module so that one can do debugging using > the $Net::SSLeay::trace variable from inside XS too. > > The patch is used to add OCSP handling to IO::Socket::SSL, currently only at > the ocsp branch at https://github.com/noxxi/p5-io-socket-ssl/tree/ocsp but > I hope that I'll release it in a few days. > > It would be nice if you could incorporate the patch, because it implements a > feature which got just after the heartbleed attack more valuable :) > > Regards, > Steffen

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Thu May 08 17:52:37 2014 The RT System itself - Status changed from 'new' to 'open'

Fri May 09 03:49:10 2014 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Fri, 9 May 2014 09:48:38 +0200
To:	Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Show quoted text

> Thanks for your patch. > It has now been added in SVN 403

Thanks for applying. I think the new test t/external/ocsp.t is still missing from the SVN. Show quoted text

> Hmmm, somehow your patch removed ASN1_TIME_free. Fixed.

Oops. Good that you detected that. Show quoted text

> This seems to be an important patch. > I would be happy if you would test this SVN version thoroughly and if you > report it to be OK, I will make a new release of net-ssleay.

I currently run a test against the Alexa 10000 top sites. The code behaves stable, altough the results are very interesting: - About 30% of the sites get certification errors, mostly because they have the wrong hostname in the certificate (often a CDN). As long as this happens only for sites, which are not used for https this might be ok, but then they should better not listen for https at all. - there are lots of intermediate certificates which do not have OCSP URIs - only few sites support OCSP response stapling yet (less than 10%) Regards, Steffen -- genua Gesellschaft fuer Netzwerk- und Unix-Administration mbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht Muenchen HRB 98238

Fri May 09 17:02:50 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Sat, 10 May 2014 07:02:36 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

On Friday, May 09, 2014 03:49:11 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > >

> > Thanks for your patch. > > It has now been added in SVN 403

> > Thanks for applying. > I think the new test t/external/ocsp.t is still missing from the SVN.

Ooops should be there in SVN 404 now. Thanks for checking Show quoted text

>

> > Hmmm, somehow your patch removed ASN1_TIME_free. Fixed.

> > Oops. Good that you detected that. >

> > This seems to be an important patch. > > I would be happy if you would test this SVN version thoroughly and if you > > report it to be OK, I will make a new release of net-ssleay.

> > I currently run a test against the Alexa 10000 top sites. > The code behaves stable, altough the results are very interesting: > - About 30% of the sites get certification errors, mostly because they have > the wrong hostname in the certificate (often a CDN). > As long as this happens only for sites, which are not used for https this > might be ok, but then they should better not listen for https at all. > - there are lots of intermediate certificates which do not have OCSP URIs > - only few sites support OCSP response stapling yet (less than 10%)

OK, if you can confirm t/external/ocsp.t is there for you I will make a new release. Cheers. Show quoted text

> > Regards, > Steffen

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Fri May 09 17:18:32 2014 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Fri, 9 May 2014 23:18:05 +0200
To:	Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Show quoted text

> OK, if you can confirm t/external/ocsp.t is there for you I will make a new > release.

Yes, it is there. Thanks a lot, Steffen -- genua Gesellschaft fuer Netzwerk- und Unix-Administration mbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht Muenchen HRB 98238

Fri May 09 18:10:14 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Sat, 10 May 2014 08:10:03 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Thanks, new version 1.59 uploaded to CPAN On Friday, May 09, 2014 05:18:32 PM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > >

> > OK, if you can confirm t/external/ocsp.t is there for you I will make a > > new > > release.

> > Yes, it is there. > > Thanks a lot, > Steffen

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Sat May 10 08:21:22 2014 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Sat, 10 May 2014 14:20:59 +0200
To:	Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

On Fri, May 09, 2014 at 06:10:15PM -0400, Mike McCauley via RT <bug-Net-SSLeay@rt.cpan.org> wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > Thanks, > new version 1.59 uploaded to CPAN

Thanks, looking at cpantesters I found one FAIL with a version of openssl which does not support OCSP yet. Attached diff fixes the test so that it checks if OCSP is supported at all. Also it fixes some newly introduced warnings if compiled with -Wall. Regards, Steffen -- genua Gesellschaft fuer Netzwerk- und Unix-Administration mbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht Muenchen HRB 98238

Message body is not shown because sender requested not to inline it.

Sat May 10 17:32:51 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Sun, 11 May 2014 07:32:41 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi Steffen, Thanks. This will be in the next release. Cheers. On Saturday, May 10, 2014 08:21:23 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > On Fri, May 09, 2014 at 06:10:15PM -0400, Mike McCauley via RT <bug-Net-

SSLeay@rt.cpan.org> wrote: Show quoted text

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > > > Thanks, > > new version 1.59 uploaded to CPAN

> > Thanks, > looking at cpantesters I found one FAIL with a version of openssl which > does not support OCSP yet. Attached diff fixes the test so that it checks > if OCSP is supported at all. Also it fixes some newly introduced warnings > if compiled with -Wall. > > Regards, > Steffen

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Sun May 11 10:23:02 2014 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Sun, 11 May 2014 16:22:41 +0200
To:	Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

On Sat, May 10, 2014 at 05:32:52PM -0400, Mike McCauley via RT <bug-Net-SSLeay@rt.cpan.org> wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > Hi Steffen, > > Thanks. This will be in the next release.

Thank you. Unfortunatly I have yet another diff. This one changes calloc to Newx and free to Safefree, otherwise there might be problems because calloc is done from a different memory pool than free (depends on the build options for perl, but seen on Windows). And I've found a memory leak in OCSP_response_results, where I forgot to have the (Safe)free. I hope this was it then, the cpantesters look good so far (life tests are enabled by default with IO::Socket::SSL, and this includes OCSP test). Regards, Steffen -- genua Gesellschaft fuer Netzwerk- und Unix-Administration mbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht Muenchen HRB 98238

Message body is not shown because sender requested not to inline it.

Mon May 12 03:32:22 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Mon, 12 May 2014 17:32:08 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi, your patch is now in SVN 407. If you will test I will make a new release. Cheers. On Sunday, May 11, 2014 10:23:03 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > On Sat, May 10, 2014 at 05:32:52PM -0400, Mike McCauley via RT <bug-Net-

SSLeay@rt.cpan.org> wrote: Show quoted text

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > > > Hi Steffen, > > > > Thanks. This will be in the next release.

> > Thank you. > > Unfortunatly I have yet another diff. > This one changes calloc to Newx and free to Safefree, otherwise there might > be problems because calloc is done from a different memory pool than free > (depends on the build options for perl, but seen on Windows). > > And I've found a memory leak in OCSP_response_results, where I forgot to > have the (Safe)free. > > I hope this was it then, the cpantesters look good so far (life tests are > enabled by default with IO::Socket::SSL, and this includes OCSP test). > > Regards, > Steffen

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Mon May 12 04:05:41 2014 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Mon, 12 May 2014 10:05:18 +0200
To:	Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

Show quoted text

> > your patch is now in SVN 407. If you will test I will make a new release.

Yes, it looks good for me. Thanks, Steffen -- genua Gesellschaft fuer Netzwerk- und Unix-Administration mbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht Muenchen HRB 98238

Mon May 12 06:06:55 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Mon, 12 May 2014 20:06:44 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Thanks. 1.61 is now uploaded. Cheers. On Monday, May 12, 2014 04:05:42 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > >

> > your patch is now in SVN 407. If you will test I will make a new release.

> > Yes, it looks good for me. > > Thanks, > Steffen

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Thu May 15 02:15:55 2014 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Thu, 15 May 2014 08:15:30 +0200
To:	Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

On Mon, May 12, 2014 at 06:06:57AM -0400, Mike McCauley via RT <bug-Net-SSLeay@rt.cpan.org> wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > Thanks. > 1.61 is now uploaded.

Thank you. I have yet another diff, but this is not a bug in the code but just to make the feature better: when checking the complety chain against revocation I often got the problem, that the signature of the OCSP response for the lowest chain certificate could not be verified. It turns out that some CA (like Verisign) sign this OCSP response with the CA we have in the trust store and don't attach this certifcate at the response. But OpenSSL by itself only considers the certificates included in the response and SSL_OCSP_response_verify added the certificates in the chain too. With the attached patch we also add the trusted CA from the store which signed the lowest chain certificate, at least if we could not verify the OCSP response without doing it. This seems to solve the problem, e.g. now I can also verify the OCSP responses for the lowest chain certificates. Regards, Steffen -- genua Gesellschaft fuer Netzwerk- und Unix-Administration mbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht Muenchen HRB 98238

Message body is not shown because sender requested not to inline it.

Thu May 15 02:31:00 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Thu, 15 May 2014 16:30:40 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi Steffen, Thanks. Your patch is now in SVN 408. In case you think of some more improvements soon, I will not make a new release just yet. Cheers. On Thursday, May 15, 2014 02:15:56 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > On Mon, May 12, 2014 at 06:06:57AM -0400, Mike McCauley via RT <bug-Net-

SSLeay@rt.cpan.org> wrote: Show quoted text

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > > > Thanks. > > 1.61 is now uploaded.

> > Thank you. > > I have yet another diff, but this is not a bug in the code but just to make > the feature better: when checking the complety chain against revocation I > often got the problem, that the signature of the OCSP response for the > lowest chain certificate could not be verified. It turns out that some CA > (like Verisign) sign this OCSP response with the CA we have in the trust > store and don't attach this certifcate at the response. > But OpenSSL by itself only considers the certificates included in the > response and SSL_OCSP_response_verify added the certificates in the chain > too. > > With the attached patch we also add the trusted CA from the store which > signed the lowest chain certificate, at least if we could not verify the > OCSP response without doing it. This seems to solve the problem, e.g. > now I can also verify the OCSP responses for the lowest chain certificates. > > Regards, > Steffen

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Thu May 15 02:45:12 2014 Steffen_Ullrich [...] genua.de - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Thu, 15 May 2014 08:44:52 +0200
To:	Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Steffen Ullrich <Steffen_Ullrich [...] genua.de>

On Thu, May 15, 2014 at 02:31:02AM -0400, Mike McCauley via RT <bug-Net-SSLeay@rt.cpan.org> wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > Hi Steffen, > > Thanks. > Your patch is now in SVN 408. In case you think of some more improvements > soon, I will not make a new release just yet.

No, I think I will slow down now :) For now I think all is done for OCSP on the client side and OCSP on the server side can wait. Thanks, Steffen -- genua Gesellschaft fuer Netzwerk- und Unix-Administration mbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht Muenchen HRB 98238

Sun May 18 17:21:32 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Mon, 19 May 2014 07:21:20 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi Steffen, Version 1.62 has now been uploaded with your latest change. Cheers. On Thursday, May 15, 2014 02:45:13 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > On Thu, May 15, 2014 at 02:31:02AM -0400, Mike McCauley via RT <bug-Net-

SSLeay@rt.cpan.org> wrote: Show quoted text

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > > > Hi Steffen, > > > > Thanks. > > Your patch is now in SVN 408. In case you think of some more improvements > > soon, I will not make a new release just yet.

> > No, I think I will slow down now :) > For now I think all is done for OCSP on the client side and OCSP on the > server side can wait. > > Thanks, > Steffen

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Mon May 19 10:03:35 2014 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

On Sun May 18 17:21:32 2014, mikem@airspayce.com wrote: Show quoted text

> Hi Steffen, > > Version 1.62 has now been uploaded with your latest change.

I'm seeing this with openssl 1.0.0 through to 1.0.0j (openssl 0.9.8* and openssl 1.0.0k onwards seem OK): $ make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'inc', 'blib/lib', 'blib/arch')" t/*/*.t t/*/*/*.t t/external/08_external.t ............... ok t/external/15_altnames.t ............... ok t/external/20_cert_chain.t ............. ok # tcp connect to www.live.com:443 ok # got stapled OCSP response # SSL_connect ok # fingerprint matches # status=0 as expected: nextUpd=Wed May 21 05:49:50 2014 # no HTTP: skip checking http://EVIntl-ocsp.verisign.com | /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna DUB-DC A May2013/CN=mail.live.com # no HTTP: skip checking http://EVSecure-ocsp.verisign.com | /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA # no HTTP: skip checking http://ocsp.verisign.com | /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 # tcp connect to www.google.com:443 ok # got no stapled OCSP response # SSL_connect ok # tcp connect to revoked.grc.com:443 ok # got stapled OCSP response # SSL_connect ok # fingerprint matches # Failed test 'cannot verify response: ' # at t/external/ocsp.t line 178. # Looks like you failed 1 test of 3. t/external/ocsp.t ...................... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/3 subtests (less 1 skipped subtest: 1 okay) t/handle/external/10_destroy.t ......... ok t/handle/external/50_external.t ........ ok t/handle/local/05_use.t ................ ok t/local/01_pod.t ....................... ok t/local/02_pod_coverage.t .............. skipped: these tests are for only for release candidate testing. Enable with RELEASE_TESTING=1 t/local/03_use.t ....................... ok # Version info: # Testing Net::SSLeay 1.63, Perl 5.010000, /usr/bin/perl # OpenSSL version: 'OpenSSL 1.0.0b-fips 16 Nov 2010' # OpenSSL platform: 'platform: linux-x86_64' t/local/04_basic.t ..................... ok t/local/05_passwd_cb.t ................. ok t/local/06_tcpecho.t ................... ok t/local/07_sslecho.t ................... ok t/local/08_pipe.t ...................... ok t/local/15_bio.t ....................... ok t/local/20_autoload.t .................. ok t/local/21_constants.t ................. ok t/local/30_error.t ..................... ok t/local/31_rsa_generate_key.t .......... ok t/local/32_x509_get_cert_info.t ........ ok t/local/33_x509_create_cert.t .......... ok t/local/34_x509_crl.t .................. ok t/local/35_ephemeral.t ................. ok t/local/36_verify.t .................... ok t/local/37_asn1_time.t ................. ok t/local/38_priv-key.t .................. ok t/local/39_pkcs12.t .................... ok t/local/40_npn_support.t ............... skipped: openssl 1.0.1 required t/local/41_alpn_support.t .............. skipped: openssl 1.0.2 required t/local/50_digest.t .................... ok t/local/61_threads-cb-crash.t .......... ok t/local/62_threads-ctx_new-deadlock.t .. ok t/local/kwalitee.t ..................... skipped: these tests are for only for release candidate testing. Enable with RELEASE_TESTING=1 Test Summary Report ------------------- t/external/ocsp.t (Wstat: 256 Tests: 3 Failed: 1) Failed test: 3 Non-zero exit status: 1 Files=34, Tests=2726, 14 wallclock secs ( 0.40 usr 0.06 sys + 3.03 cusr 0.22 csys = 3.71 CPU) Result: FAIL Failed 1/34 test programs. 1/2726 subtests failed. make: *** [test_dynamic] Error 255

Mon May 19 10:56:05 2014 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

On Mon May 19 10:03:35 2014, paul@city-fan.org wrote: Show quoted text

> On Sun May 18 17:21:32 2014, mikem@airspayce.com wrote:

> > Hi Steffen, > > > > Version 1.62 has now been uploaded with your latest change.

> > I'm seeing this with openssl 1.0.0 through to 1.0.0j (openssl 0.9.8* > and openssl 1.0.0k onwards seem OK): > > $ make test > PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" > "test_harness(0, 'inc', 'blib/lib', 'blib/arch')" t/*/*.t t/*/*/*.t > t/external/08_external.t ............... ok > t/external/15_altnames.t ............... ok > t/external/20_cert_chain.t ............. ok > # tcp connect to www.live.com:443 ok > # got stapled OCSP response > # SSL_connect ok > # fingerprint matches > # status=0 as expected: nextUpd=Wed May 21 05:49:50 2014 > # no HTTP: skip checking http://EVIntl-ocsp.verisign.com | > /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private > Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 > Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna DUB-DC A > May2013/CN=mail.live.com > # no HTTP: skip checking http://EVSecure-ocsp.verisign.com | > /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended > Validation SSL SGC CA > # no HTTP: skip checking http://ocsp.verisign.com | /C=US/O=VeriSign, > Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For > authorized use only/CN=VeriSign Class 3 Public Primary Certification > Authority - G5 > # tcp connect to www.google.com:443 ok > # got no stapled OCSP response > # SSL_connect ok > # tcp connect to revoked.grc.com:443 ok > # got stapled OCSP response > # SSL_connect ok > # fingerprint matches > # Failed test 'cannot verify response: ' > # at t/external/ocsp.t line 178. > # Looks like you failed 1 test of 3. > t/external/ocsp.t ...................... > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/3 subtests > (less 1 skipped subtest: 1 okay) > t/handle/external/10_destroy.t ......... ok > t/handle/external/50_external.t ........ ok > t/handle/local/05_use.t ................ ok > t/local/01_pod.t ....................... ok > t/local/02_pod_coverage.t .............. skipped: these tests are for > only for release candidate testing. Enable with RELEASE_TESTING=1 > t/local/03_use.t ....................... ok > # Version info: > # Testing Net::SSLeay 1.63, Perl 5.010000, /usr/bin/perl > # OpenSSL version: 'OpenSSL 1.0.0b-fips 16 Nov 2010' > # OpenSSL platform: 'platform: linux-x86_64' > t/local/04_basic.t ..................... ok > t/local/05_passwd_cb.t ................. ok > t/local/06_tcpecho.t ................... ok > t/local/07_sslecho.t ................... ok > t/local/08_pipe.t ...................... ok > t/local/15_bio.t ....................... ok > t/local/20_autoload.t .................. ok > t/local/21_constants.t ................. ok > t/local/30_error.t ..................... ok > t/local/31_rsa_generate_key.t .......... ok > t/local/32_x509_get_cert_info.t ........ ok > t/local/33_x509_create_cert.t .......... ok > t/local/34_x509_crl.t .................. ok > t/local/35_ephemeral.t ................. ok > t/local/36_verify.t .................... ok > t/local/37_asn1_time.t ................. ok > t/local/38_priv-key.t .................. ok > t/local/39_pkcs12.t .................... ok > t/local/40_npn_support.t ............... skipped: openssl 1.0.1 > required > t/local/41_alpn_support.t .............. skipped: openssl 1.0.2 > required > t/local/50_digest.t .................... ok > t/local/61_threads-cb-crash.t .......... ok > t/local/62_threads-ctx_new-deadlock.t .. ok > t/local/kwalitee.t ..................... skipped: these tests are for > only for release candidate testing. Enable with RELEASE_TESTING=1 > Test Summary Report > ------------------- > t/external/ocsp.t (Wstat: 256 Tests: 3 Failed: 1) > Failed test: 3 > Non-zero exit status: 1 > Files=34, Tests=2726, 14 wallclock secs ( 0.40 usr 0.06 sys + 3.03 > cusr 0.22 csys = 3.71 CPU) > Result: FAIL > Failed 1/34 test programs. 1/2726 subtests failed. > make: *** [test_dynamic] Error 255

I don't see these failures if I have HTTP::Tiny installed.

Mon May 19 17:25:48 2014 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #95473] Feature request with patch included: OCSP support
Date:	Tue, 20 May 2014 07:25:33 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi, thanks for reporting this. Fixed in SVN 411. Cheers. On Monday, May 19, 2014 10:56:06 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95473 > > > On Mon May 19 10:03:35 2014, paul@city-fan.org wrote:

> > On Sun May 18 17:21:32 2014, mikem@airspayce.com wrote:

> > > Hi Steffen, > > > > > > Version 1.62 has now been uploaded with your latest change.

> > > > I'm seeing this with openssl 1.0.0 through to 1.0.0j (openssl 0.9.8* > > and openssl 1.0.0k onwards seem OK): > > > > $ make test > > PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" > > "test_harness(0, 'inc', 'blib/lib', 'blib/arch')" t/*/*.t t/*/*/*.t > > t/external/08_external.t ............... ok > > t/external/15_altnames.t ............... ok > > t/external/20_cert_chain.t ............. ok > > # tcp connect to www.live.com:443 ok > > # got stapled OCSP response > > # SSL_connect ok > > # fingerprint matches > > # status=0 as expected: nextUpd=Wed May 21 05:49:50 2014 > > # no HTTP: skip checking http://EVIntl-ocsp.verisign.com | > > /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessC > > ategory=Private > > Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L > > =Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna > > DUB-DC A > > May2013/CN=mail.live.com > > # no HTTP: skip checking http://EVSecure-ocsp.verisign.com | > > /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > > https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended > > Validation SSL SGC CA > > # no HTTP: skip checking http://ocsp.verisign.com | /C=US/O=VeriSign, > > Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For > > authorized use only/CN=VeriSign Class 3 Public Primary Certification > > Authority - G5 > > # tcp connect to www.google.com:443 ok > > # got no stapled OCSP response > > # SSL_connect ok > > # tcp connect to revoked.grc.com:443 ok > > # got stapled OCSP response > > # SSL_connect ok > > # fingerprint matches > > # Failed test 'cannot verify response: ' > > # at t/external/ocsp.t line 178. > > # Looks like you failed 1 test of 3. > > > > t/external/ocsp.t ...................... > > > > Dubious, test returned 1 (wstat 256, 0x100) > > > > Failed 1/3 subtests > > > > (less 1 skipped subtest: 1 okay) > > > > t/handle/external/10_destroy.t ......... ok > > t/handle/external/50_external.t ........ ok > > t/handle/local/05_use.t ................ ok > > t/local/01_pod.t ....................... ok > > t/local/02_pod_coverage.t .............. skipped: these tests are for > > only for release candidate testing. Enable with RELEASE_TESTING=1 > > t/local/03_use.t ....................... ok > > # Version info: > > # Testing Net::SSLeay 1.63, Perl 5.010000, /usr/bin/perl > > # OpenSSL version: 'OpenSSL 1.0.0b-fips 16 Nov 2010' > > # OpenSSL platform: 'platform: linux-x86_64' > > t/local/04_basic.t ..................... ok > > t/local/05_passwd_cb.t ................. ok > > t/local/06_tcpecho.t ................... ok > > t/local/07_sslecho.t ................... ok > > t/local/08_pipe.t ...................... ok > > t/local/15_bio.t ....................... ok > > t/local/20_autoload.t .................. ok > > t/local/21_constants.t ................. ok > > t/local/30_error.t ..................... ok > > t/local/31_rsa_generate_key.t .......... ok > > t/local/32_x509_get_cert_info.t ........ ok > > t/local/33_x509_create_cert.t .......... ok > > t/local/34_x509_crl.t .................. ok > > t/local/35_ephemeral.t ................. ok > > t/local/36_verify.t .................... ok > > t/local/37_asn1_time.t ................. ok > > t/local/38_priv-key.t .................. ok > > t/local/39_pkcs12.t .................... ok > > t/local/40_npn_support.t ............... skipped: openssl 1.0.1 > > required > > t/local/41_alpn_support.t .............. skipped: openssl 1.0.2 > > required > > t/local/50_digest.t .................... ok > > t/local/61_threads-cb-crash.t .......... ok > > t/local/62_threads-ctx_new-deadlock.t .. ok > > t/local/kwalitee.t ..................... skipped: these tests are for > > only for release candidate testing. Enable with RELEASE_TESTING=1 > > Test Summary Report > > ------------------- > > t/external/ocsp.t (Wstat: 256 Tests: 3 Failed: 1) > > > > Failed test: 3 > > Non-zero exit status: 1 > > > > Files=34, Tests=2726, 14 wallclock secs ( 0.40 usr 0.06 sys + 3.03 > > cusr 0.22 csys = 3.71 CPU) > > Result: FAIL > > Failed 1/34 test programs. 1/2726 subtests failed. > > make: *** [test_dynamic] Error 255

> > I don't see these failures if I have HTTP::Tiny installed.

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Sat May 24 03:26:10 2014 MIKEM [...] cpan.org - Status changed from 'open' to 'resolved'

Sat May 24 03:26:11 2014 MIKEM [...] cpan.org - Taken