not ignoring HTTP Content-Type header of answer

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.

https://github.com/mpeylo/cmpossl/wiki

Other

35 stars 13 forks source link

not ignoring HTTP Content-Type header of answer #152

Closed mpeylo closed 3 years ago

mpeylo commented 5 years ago

The HTTP Content-Type header this is currently silently ignored.

In case that is not set, there should likely be at least a warning.

In case the HTTP Content-Type is set to anything else than application/pkixcmp, a relevant error should be triggered.

DDvO commented 4 years ago

I've developed an enhanced HTTP client for OpenSSL, which is currently a pull request there: https://github.com/openssl/openssl/pull/10667. Among others, this includes the check requested above. Hope this will be integrated with the OpenSSL master soon, and then our CMP contribution will benefit from this enhancement.

DDvO commented 4 years ago

The improvement meanwhile has become part of OpenSSL and of our cmp-dev master branch.