search

openbao / openbao

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys.
https://openbao.org/
Mozilla Public License 2.0
2.89k stars 118 forks source link

Ensure OSCP response is signed by correct issuer #266

Open JanMa opened 6 months ago

JanMa commented 6 months ago

This has been fixed in Vault 1.14.10 and we should fix it as well.

cipherboy commented 6 months ago

See also https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573

DanGhita commented 5 months ago

Hello all,

I can take this bug, if you want. @naphelps , if no objection, could you assign me this bug ?

Thanks!

cipherboy commented 5 months ago

@DanGhita This is rather complicated; let's chat about this one online sometime. I have a reproducer, and while I conceptually know the fix, fixing this doesn't really accomplish much, IMHO. I think the OCSP ecosystem needs additional changes.

Mind sending me an email and we can decide on times?

DanGhita commented 5 months ago

OK @cipherboy , no problem.