cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: OpenSSL OCSP API breakage

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Tue, 24 Mar 2015 18:36:01 +0100

On Fri, Mar 20, 2015 at 01:15:17PM +0100, Alessandro Ghedini wrote:
> On ven, mar 20, 2015 at 11:21:42 +0100, Daniel Stenberg wrote:
> > Hey
> >
> > Just a heads up here. And a chance for me to whine a little bit.
> >
> > Yesterday after the recent OpenSSL security announcement I updated to the
> > latest OpenSSL git master in a local build of mine, only to realize that
> > they've changed the API in HEAD and as a consequence libcurl no longer
> > builds with the latest OpenSSL code.
> >
> > The OpenSSL commit 6ef869d7d0a9d is the offender, and it was made quite
> > deliberately: "Make OCSP structures opaque."
> >
> > I figure we should replace the struct references with the proper function
> > invokes but after having read our code and the latest OpenSSL headers it
> > isn't really clear to me which ones to use.
> >
> > Here's a sample of how this tastes:
> >
> > vtls/openssl.c: In function 'verifystatus':
> > vtls/openssl.c:1371:44: error: dereferencing pointer to incomplete type
> > if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
> > ^
> > vtls/openssl.c:1372:39: error: dereferencing pointer to incomplete type
> > X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
>
> These two are needed to workaround the OpenSSL verification bug [0], and without
> it the feature won't work with a pretty big number of servers. I stll haven't
> received any comment on my patch (see link), and I kind of gave up a while ago.
>
> Unfortunately there doesn't seem to be any "getter" functions for the ->certs
> field, so either the bug gets fixed or libcurl will be b0rked. Trying openssl
> git master without the workaround may be worth a try, but looking at the code,
> the issue doesn't seem to be fixed yet.
>
> I don't know if there is anyone listening who can do anything about it, but it's
> IMO a pretty important OpenSSL issue that really needs to be fixed, if you care
> about OCSP.

Good news! The issue should be fixed now, in commit 4ca5efc. However I can't
build curl with openssl HEAD right now (for, I suppose, unrelated reasons), so I
can't test if the fix actually works (they didn't merge my patch, but a possibly
better fix), so could someone please test this?

The curl workaround code should probably be put inside ifdefs checking for
whatever openssl version will include the fix, but for a simple test it can be
removed completely, then run the following to check if the bug was fixed:

  $ src/curl https://digitalocean.com --cert-status

Cheers

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2015-03-24