From a4156cded367fa7138bc90d0d11dcdb3e8a72032 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 21 Aug 2015 23:23:21 +0900 Subject: [PATCH] fetch-ocsp-response: Handle spurious openssl exist status 0 With OpenSSL <= 1.0.1, openssl ocsp command still returns exit code 0, even if verification was failed. If that happens certain string is emitted in stderr, so check that string and if exists, treat it as error. This issue was fixed in OpenSSL 1.0.2. At least OpenSSL 1.0.2, openssl ocsp command still returns exit code 0, even if responder returned non-successful status code (e.g., trylater(3)). We are not sure this is intentional or not. To handle this, we again check certain error string in stdout, and if it is found, treat it as error. --- script/fetch-ocsp-response | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/script/fetch-ocsp-response b/script/fetch-ocsp-response index 1914886b..c3aadf27 100755 --- a/script/fetch-ocsp-response +++ b/script/fetch-ocsp-response @@ -169,11 +169,18 @@ def verify_response(cmd, tempdir, issuer_fn, respder_fn): ] for extra in allextra: - with open(verify_fn, 'wb') as f: + with open(verify_fn, 'w+b') as f: args = [cmd, 'ocsp', '-respin', respder_fn] args.extend(extra) p = subprocess.Popen(args, stdout=f, stderr=f) if p.wait() == 0: + # OpenSSL <= 1.0.1, openssl ocsp still returns exit + # code 0 even if verification was failed. So check + # the error message in stderr output. + f.seek(0) + if f.read().decode('utf-8').find( + 'Response Verify Failure') != -1: + continue sys.stderr.write('verify OK (used: {})\n'.format(extra)) return True @@ -201,6 +208,11 @@ def fetch_ocsp_response(cmd, cert_fn, tempdir, issuer_fn=None): sys.stderr.write('{}\n'.format(resp)) + # OpenSSL 1.0.2 still returns exit code 0 even if ocsp responder + # returned error status (e.g., trylater(3)) + if resp.find('Responder Error:') != -1: + raise Exception('responder returned error') + if not verify_response(cmd, tempdir, issuer_fn, respder_fn): tempfail('failed to verify the response')