[mod_gnutls-devel] Initial development for OCSP support
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Feb 18 15:58:33 CET 2014
On Tue, Feb 18, 2014 at 10:06 AM, Benny Baumann <BenBE at geshi.org> wrote:
> Hi guys,
> I found (and fixed locally) one issue regarding OCSP response validation
> that could be used to supply us with stale responses if they were still
> valid. The fix I implemented locally ensures that the response we accept
> into the cache ALWAYS holds the same nonce as we just requested from the
> server.
> This check IS missing in the OCSP client sample of the GnuTLS
> documentation as it is absolutely NO magic to do but avoids realworld
> attacks on implementations based on that sample.
> P.S.: @dkg: Could you forward this request to the GnuTLS people? TIA.
Thanks, I saw it and I'll update the documentation.
regards,
Nikos
More information about the mod_gnutls-devel
mailing list