Open droe opened 12 years ago
This can be tested using OpenSSL as follows, where sslsniff is listening on port 10080:
% openssl ocsp -issuer ca.crt -serial 1234 -url http://127.0.0.1:10080/ocsp
Error querying OCSP responsder
Which is a client-local error. It should show Responder Error: trylater (3)
if it received a tryLater from the OCSP server.
OCSPDenier::ocspResponse
inhttp/OCSPDenier.cpp
contains an syntactically invalid OCSP response. OCSPResponse according to RFC 2560:So instead of the string "3", the HTTP response body should contain an ASN.1 SEQUENCE, containing an ENUMERATED with the value
0x03
to be a valid OCSP response, which is a total of 5 bytes in the case of tryLater (responseBytes is not needed).Incidentally, clients seem to ignore ASN.1 syntax errors in OCSP responses, so fixing this might not actually change client behaviour for many OCSP client implementations.