« Return to Thread: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
AW: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
by Natanael Mignon - michael-wessel.de
::
Rate this Message:
Dear list,
another update - we got it.
[Fri Jul 10 10:28:39 2009] [error] [client 172.30.64.154] MWDE/nm: OCSP response line unstripped: HTTP/1.1 200 OK
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: Date: Fri, 10 Jul 2009 09:29:06 GMT
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: content-length: 1212
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: Connection: close
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(260): [client 172.30.64.154] MWDE/nm, read turn 1: OCSP response read, but len == 0
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 0 bytes, 0 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 1: OCSP response in data: nul
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 1212 bytes, 1212 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 2: OCSP response in data: 0\x82\x04\xb8\n\x01
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(260): [client 172.30.64.154] MWDE/nm, read turn 3: OCSP response read, but len == 0
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 0 bytes, 1212 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 3: OCSP response in data:
Solution was to change the break-conditions in Apache's mod_ssl (ssl_util_ocsp.c). The original code did break the loop reading response data from bucket to bio, if it read an EOF *or* it read data of length == 0. Now we got this strange responder, which sends 0 bytes in the first line of response. By only breaking the loop, if EOF is read, we get to the second (and third, until bucket is empty or an EOF is read) line of the response. And guess what's in the second line? :)
Thanks for the pointers to really check the data received!
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
________________________________________
Von: Natanael Mignon - michael-wessel.de [nm@...]
Gesendet: Freitag, 10. Juli 2009 09:35
An: openssl-users@...
Betreff: AW: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
Updated details. If we do compare the two requests (one failing because of "not enough data", one working fine), there are obvious differences in receiving the response.
Working fine:
[Tue Jul 07 14:32:24 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140] sending request to OCSP responder
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Date: Tue, 07 Jul 2009 13:32:52 GMT
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Server: Apache-Coyote/1.1
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Type: application/ocsp-response
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Length: 1585
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Connection: close
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140] OCSP response: got 1585 bytes, 1585 total
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(258): [client 10.200.48.140] MWDE/nm: OCSP response in data: 0\x82\x06-\n\x01
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(234): [client 10.200.48.140] OCSP response: got EOF
Failing:
[Tue Jul 07 14:38:23 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Tue, 07 Jul 2009 13:38:51 GMT
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Tue Jul 07 14:38:24 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Tue Jul 07 14:38:24 2009] [error] [client 172.30.64.154] failed to decode OCSP response data
This actually looks like we do not receive any response data except headers. The code branch, where we print out the response data is not even called, because the receive-bucket seems to be empty after the headers have been read out (Apache/mod_ssl/ssl_util_ocsp.c, "while (!APR_BRIGADE_EMPTY(bb))" --> copies from bb to bio).
What disturbes me: Doing the same request from the same system with a generic OCSP-client (Java-based, using Bouncycastle-lib) works fine ("OCSP Response: GOOD").
Any ideas?
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
________________________________________
Von: owner-openssl-users@... [owner-openssl-users@...] im Auftrag von Dr. Stephen Henson [steve@...]
Gesendet: Freitag, 3. Juli 2009 18:39
An: openssl-users@...
Betreff: Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
+----------------------------------------------------------------------+
| - michael-wessel.de Secure E-Mail Status - |
+----------------------------------------------------------------------+
| - Die Nachricht war weder verschluesselt noch digital unterschrieben |
+----------------------------------------------------------------------+
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
another update - we got it.
[Fri Jul 10 10:28:39 2009] [error] [client 172.30.64.154] MWDE/nm: OCSP response line unstripped: HTTP/1.1 200 OK
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: Date: Fri, 10 Jul 2009 09:29:06 GMT
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: content-length: 1212
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: Connection: close
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(260): [client 172.30.64.154] MWDE/nm, read turn 1: OCSP response read, but len == 0
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 0 bytes, 0 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 1: OCSP response in data: nul
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 1212 bytes, 1212 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 2: OCSP response in data: 0\x82\x04\xb8\n\x01
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(260): [client 172.30.64.154] MWDE/nm, read turn 3: OCSP response read, but len == 0
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 0 bytes, 1212 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 3: OCSP response in data:
Solution was to change the break-conditions in Apache's mod_ssl (ssl_util_ocsp.c). The original code did break the loop reading response data from bucket to bio, if it read an EOF *or* it read data of length == 0. Now we got this strange responder, which sends 0 bytes in the first line of response. By only breaking the loop, if EOF is read, we get to the second (and third, until bucket is empty or an EOF is read) line of the response. And guess what's in the second line? :)
Thanks for the pointers to really check the data received!
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
________________________________________
Von: Natanael Mignon - michael-wessel.de [nm@...]
Gesendet: Freitag, 10. Juli 2009 09:35
An: openssl-users@...
Betreff: AW: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
Updated details. If we do compare the two requests (one failing because of "not enough data", one working fine), there are obvious differences in receiving the response.
Working fine:
[Tue Jul 07 14:32:24 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140] sending request to OCSP responder
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Date: Tue, 07 Jul 2009 13:32:52 GMT
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Server: Apache-Coyote/1.1
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Type: application/ocsp-response
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Length: 1585
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Connection: close
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140] OCSP response: got 1585 bytes, 1585 total
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(258): [client 10.200.48.140] MWDE/nm: OCSP response in data: 0\x82\x06-\n\x01
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(234): [client 10.200.48.140] OCSP response: got EOF
Failing:
[Tue Jul 07 14:38:23 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Tue, 07 Jul 2009 13:38:51 GMT
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Tue Jul 07 14:38:24 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Tue Jul 07 14:38:24 2009] [error] [client 172.30.64.154] failed to decode OCSP response data
This actually looks like we do not receive any response data except headers. The code branch, where we print out the response data is not even called, because the receive-bucket seems to be empty after the headers have been read out (Apache/mod_ssl/ssl_util_ocsp.c, "while (!APR_BRIGADE_EMPTY(bb))" --> copies from bb to bio).
What disturbes me: Doing the same request from the same system with a generic OCSP-client (Java-based, using Bouncycastle-lib) works fine ("OCSP Response: GOOD").
Any ideas?
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
________________________________________
Von: owner-openssl-users@... [owner-openssl-users@...] im Auftrag von Dr. Stephen Henson [steve@...]
Gesendet: Freitag, 3. Juli 2009 18:39
An: openssl-users@...
Betreff: Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
+----------------------------------------------------------------------+
| - michael-wessel.de Secure E-Mail Status - |
+----------------------------------------------------------------------+
| - Die Nachricht war weder verschluesselt noch digital unterschrieben |
+----------------------------------------------------------------------+
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
« Return to Thread: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
| Free embeddable forum powered by Nabble | Forum Help |
