[ssh_x509] OCSP validation request to all the certificate in chain except root CA certificate

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Apr 28 20:53:37 EEST 2020


Hi Mohit,
ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> While browsing through the code, I found following comment in x509store.c
>
> /* To minimize network latency and keeping in mind 1.) we send
>   * 'OCSP request' only for the last certificate in the chain, i.e.
>   * sended client or server certificate.
>   *
>   * Therefore instead to send OCSP request in ssh_x509revoked_cb()
>   * we do this here.
>   */
> ret = ssh_ocsp_validate(_cert, x509store);
>
> Would you be able to help me in getting the changes so that OCSP request
> can be sent for all the certificates in the chain except root CA
> certificate ?

One place is X509 verify callback, i.e. ssh_x509store_cb in statement after check for revoked.
To avoid root check for self-issued - function ssh_X509_is_selfsigned(). Remark: Function name is not perfect.

Note existing check for self-issued is quite specific.

>
> Thanks in advance,
> Mohit Gupta

Roumen



More information about the ssh_x509 mailing list