« Return to Thread: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
AW: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
by Natanael Mignon - michael-wessel.de
::
Rate this Message:
Updated details. If we do compare the two requests (one failing because of "not enough data", one working fine), there are obvious differences in receiving the response.
Working fine:
[Tue Jul 07 14:32:24 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140] sending request to OCSP responder
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Date: Tue, 07 Jul 2009 13:32:52 GMT
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Server: Apache-Coyote/1.1
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Type: application/ocsp-response
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Length: 1585
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Connection: close
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140] OCSP response: got 1585 bytes, 1585 total
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(258): [client 10.200.48.140] MWDE/nm: OCSP response in data: 0\x82\x06-\n\x01
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(234): [client 10.200.48.140] OCSP response: got EOF
Failing:
[Tue Jul 07 14:38:23 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Tue, 07 Jul 2009 13:38:51 GMT
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Tue Jul 07 14:38:24 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Tue Jul 07 14:38:24 2009] [error] [client 172.30.64.154] failed to decode OCSP response data
This actually looks like we do not receive any response data except headers. The code branch, where we print out the response data is not even called, because the receive-bucket seems to be empty after the headers have been read out (Apache/mod_ssl/ssl_util_ocsp.c, "while (!APR_BRIGADE_EMPTY(bb))" --> copies from bb to bio).
What disturbes me: Doing the same request from the same system with a generic OCSP-client (Java-based, using Bouncycastle-lib) works fine ("OCSP Response: GOOD").
Any ideas?
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
________________________________________
Von: owner-openssl-users@... [owner-openssl-users@...] im Auftrag von Dr. Stephen Henson [steve@...]
Gesendet: Freitag, 3. Juli 2009 18:39
An: openssl-users@...
Betreff: Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
Working fine:
[Tue Jul 07 14:32:24 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140] sending request to OCSP responder
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Date: Tue, 07 Jul 2009 13:32:52 GMT
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Server: Apache-Coyote/1.1
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Type: application/ocsp-response
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Length: 1585
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Connection: close
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140] OCSP response: got 1585 bytes, 1585 total
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(258): [client 10.200.48.140] MWDE/nm: OCSP response in data: 0\x82\x06-\n\x01
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(234): [client 10.200.48.140] OCSP response: got EOF
Failing:
[Tue Jul 07 14:38:23 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Tue, 07 Jul 2009 13:38:51 GMT
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Tue Jul 07 14:38:24 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Tue Jul 07 14:38:24 2009] [error] [client 172.30.64.154] failed to decode OCSP response data
This actually looks like we do not receive any response data except headers. The code branch, where we print out the response data is not even called, because the receive-bucket seems to be empty after the headers have been read out (Apache/mod_ssl/ssl_util_ocsp.c, "while (!APR_BRIGADE_EMPTY(bb))" --> copies from bb to bio).
What disturbes me: Doing the same request from the same system with a generic OCSP-client (Java-based, using Bouncycastle-lib) works fine ("OCSP Response: GOOD").
Any ideas?
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
________________________________________
Von: owner-openssl-users@... [owner-openssl-users@...] im Auftrag von Dr. Stephen Henson [steve@...]
Gesendet: Freitag, 3. Juli 2009 18:39
An: openssl-users@...
Betreff: Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
« Return to Thread: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
| Free embeddable forum powered by Nabble | Forum Help |
