« Return to Thread: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
by Natanael Mignon - michael-wessel.de
::
Rate this Message:
Dear list,
regarding the same project as my last question, we are many steps further by now.
Situation is as follows: Apache with mod_proxy and mod_ssl authenticates Client by certificate including online OCSP request. OCSP uri is correct, response is received, but then:
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Fri, 03 Jul 2009 11:37:54 GMT
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Fri Jul 03 12:37:27 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Fri Jul 03 12:37:27 2009] [error] [client 172.30.64.154] failed to decode OCSP response data
I have traced the failing call so far:
Apache ssl_util_ocsp.c:
response = d2i_OCSP_RESPONSE_bio(bio, NULL);
if (response == NULL) {
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"failed to decode OCSP response data");
}
OpenSSL 0.9.8d crypto/ocsp/ocsp.h:
#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
Here I am really lost. What data is required to decode the response, what could be missing? First ideas are corrupt certificates - sounds reasonable also, because with a different client certificate issued by a different CA and therefore validated against a different OCSP responder everything works okay. But what certificates are required for decoding the response data here? The OCSP responder's signing certificate?
Any help is highly appreciated, thanks in advance!
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
IT - beraten | planen | umsetzen | betreiben
__________________________________________________________________________
michael-wessel.de Informationstechnologie GmbH
Krausenstraße 50
30171 Hannover
Germany
fon (+49) 511 260 911-0 (DW -13)
fax (+49) 511 318 039-9
eMail nm@...
web www.michael-wessel.de
Geschäftsführer: Michael Wessel Dipl. Phys.
Amtsgericht Hannover
HR B 59031
Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder Markennamen der jeweiligen Hersteller.
Angebote freibleibend, Irrtümer und Druckfehler vorbehalten.
Lieferung vorbehaltlich ausreichender Selbstbelieferung.
© 2009 michael-wessel.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
regarding the same project as my last question, we are many steps further by now.
Situation is as follows: Apache with mod_proxy and mod_ssl authenticates Client by certificate including online OCSP request. OCSP uri is correct, response is received, but then:
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Fri, 03 Jul 2009 11:37:54 GMT
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Fri Jul 03 12:37:27 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Fri Jul 03 12:37:27 2009] [error] [client 172.30.64.154] failed to decode OCSP response data
I have traced the failing call so far:
Apache ssl_util_ocsp.c:
response = d2i_OCSP_RESPONSE_bio(bio, NULL);
if (response == NULL) {
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"failed to decode OCSP response data");
}
OpenSSL 0.9.8d crypto/ocsp/ocsp.h:
#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
Here I am really lost. What data is required to decode the response, what could be missing? First ideas are corrupt certificates - sounds reasonable also, because with a different client certificate issued by a different CA and therefore validated against a different OCSP responder everything works okay. But what certificates are required for decoding the response data here? The OCSP responder's signing certificate?
Any help is highly appreciated, thanks in advance!
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
IT - beraten | planen | umsetzen | betreiben
__________________________________________________________________________
michael-wessel.de Informationstechnologie GmbH
Krausenstraße 50
30171 Hannover
Germany
fon (+49) 511 260 911-0 (DW -13)
fax (+49) 511 318 039-9
eMail nm@...
web www.michael-wessel.de
Geschäftsführer: Michael Wessel Dipl. Phys.
Amtsgericht Hannover
HR B 59031
Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder Markennamen der jeweiligen Hersteller.
Angebote freibleibend, Irrtümer und Druckfehler vorbehalten.
Lieferung vorbehaltlich ausreichender Selbstbelieferung.
© 2009 michael-wessel.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
« Return to Thread: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
| Free embeddable forum powered by Nabble | Forum Help |
