Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data

Dear list,

regarding the same project as my last question, we are many steps further by now.

Situation is as follows: Apache with mod_proxy and mod_ssl authenticates Client by certificate including online OCSP request. OCSP uri is correct, response is received, but then:

[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Fri, 03 Jul 2009 11:37:54 GMT
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Fri Jul 03 12:37:27 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Fri Jul 03 12:37:27 2009] [error] [client 172.30.64.154] failed to decode OCSP response data



I have traced the failing call so far:



Apache ssl_util_ocsp.c:



response = d2i_OCSP_RESPONSE_bio(bio, NULL);

if (response == NULL) {
        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
                      "failed to decode OCSP response data");
}



OpenSSL 0.9.8d crypto/ocsp/ocsp.h:



#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)



Here I am really lost. What data is required to decode the response, what could be missing? First ideas are corrupt certificates - sounds reasonable also, because with a different client certificate issued by a different CA and therefore validated against a different OCSP responder everything works okay. But what certificates are required for decoding the response data here? The OCSP responder's signing certificate?


Any help is highly appreciated, thanks in advance!

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

IT - beraten | planen | umsetzen | betreiben
__________________________________________________________________________
michael-wessel.de Informationstechnologie GmbH
Krausenstraße 50
30171 Hannover
Germany

fon  (+49) 511 260 911-0 (DW -13)
fax   (+49) 511 318 039-9
eMail    nm@...
web      www.michael-wessel.de

Geschäftsführer: Michael Wessel Dipl. Phys.
Amtsgericht Hannover
HR B 59031

Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder Markennamen der jeweiligen Hersteller.
Angebote freibleibend, Irrtümer und Druckfehler vorbehalten.
Lieferung vorbehaltlich ausreichender Selbstbelieferung.
© 2009 michael-wessel.de


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

On Fri, Jul 03, 2009, Natanael Mignon - michael-wessel.de wrote:

I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Hello and thanks so far,

it seems there could something wrong with the responder, indeed. With the working responder the log looks like this (different headers, different content-length, two content parts...):

[Tue Jul 07 13:57:39 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140] sending request to OCSP responder
[Tue Jul 07 13:57:40 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Date: Tue, 07 Jul 2009 12:58:07 GMT
[Tue Jul 07 13:57:40 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Server: Apache-Coyote/1.1
[Tue Jul 07 13:57:40 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Type: application/ocsp-response
[Tue Jul 07 13:57:40 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Length: 1664
[Tue Jul 07 13:57:40 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Connection: close
[Tue Jul 07 13:57:40 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140] OCSP response: got 1203 bytes, 1203 total
[Tue Jul 07 13:57:40 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140] OCSP response: got 461 bytes, 1664 total
[Tue Jul 07 13:57:40 2009] [debug] ssl_util_ocsp.c(234): [client 10.200.48.140] OCSP response: got EOF

I did not manage to write out the actual content so far. If possible I will post it soon.

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

IT - beraten | planen | umsetzen | betreiben
__________________________________________________________________________
michael-wessel.de Informationstechnologie GmbH
Krausenstraße 50
30171 Hannover
Germany

fon  (+49) 511 260 911-0 (DW -13)
fax   (+49) 511 318 039-9
eMail    nm@...
web      www.michael-wessel.de

Geschäftsführer: Michael Wessel Dipl. Phys.
Amtsgericht Hannover
HR B 59031

Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder Markennamen der jeweiligen Hersteller.
Angebote freibleibend, Irrtümer und Druckfehler vorbehalten.
Lieferung vorbehaltlich ausreichender Selbstbelieferung.
© 2009 michael-wessel.de
________________________________________
Von: owner-openssl-users@... [owner-openssl-users@...] im Auftrag von Dr. Stephen Henson [steve@...]
Gesendet: Freitag, 3. Juli 2009 18:39
An: openssl-users@...
Betreff: Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data

On Fri, Jul 03, 2009, Natanael Mignon - michael-wessel.de wrote:

I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...



+----------------------------------------------------------------------+
| - michael-wessel.de Secure E-Mail Status -                           |
+----------------------------------------------------------------------+
| - Die Nachricht war weder verschluesselt noch digital unterschrieben |
+----------------------------------------------------------------------+

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Updated details. If we do compare the two requests (one failing because of "not enough data", one working fine), there are obvious differences in receiving the response.

Working fine:
[Tue Jul 07 14:32:24 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140] sending request to OCSP responder
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Date: Tue, 07 Jul 2009 13:32:52 GMT
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Server: Apache-Coyote/1.1
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Type: application/ocsp-response
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Length: 1585
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Connection: close
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140] OCSP response: got 1585 bytes, 1585 total
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(258): [client 10.200.48.140] MWDE/nm: OCSP response in data: 0\x82\x06-\n\x01
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(234): [client 10.200.48.140] OCSP response: got EOF


Failing:
[Tue Jul 07 14:38:23 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Tue, 07 Jul 2009 13:38:51 GMT
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Tue Jul 07 14:38:24 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Tue Jul 07 14:38:24 2009] [error] [client 172.30.64.154] failed to decode OCSP response data

This actually looks like we do not receive any response data except headers. The code branch, where we print out the response data is not even called, because the receive-bucket seems to be empty after the headers have been read out (Apache/mod_ssl/ssl_util_ocsp.c, "while (!APR_BRIGADE_EMPTY(bb))" --> copies from bb to bio).

What disturbes me: Doing the same request from the same system with a generic OCSP-client (Java-based, using Bouncycastle-lib) works fine ("OCSP Response: GOOD").

Any ideas?

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

________________________________________
Von: owner-openssl-users@... [owner-openssl-users@...] im Auftrag von Dr. Stephen Henson [steve@...]
Gesendet: Freitag, 3. Juli 2009 18:39
An: openssl-users@...
Betreff: Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data


I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Dear list,

another update - we got it.

[Fri Jul 10 10:28:39 2009] [error] [client 172.30.64.154] MWDE/nm: OCSP response line unstripped: HTTP/1.1 200 OK
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: Date: Fri, 10 Jul 2009 09:29:06 GMT
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: content-length: 1212
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154] OCSP response header: Connection: close
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(260): [client 172.30.64.154] MWDE/nm, read turn 1: OCSP response read, but len == 0
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 0 bytes, 0 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 1: OCSP response in data: nul
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 1212 bytes, 1212 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 2: OCSP response in data: 0\x82\x04\xb8\n\x01
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(260): [client 172.30.64.154] MWDE/nm, read turn 3: OCSP response read, but len == 0
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(284): [client 172.30.64.154] OCSP response: got 0 bytes, 1212 total
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(292): [client 172.30.64.154] MWDE/nm, read turn 3: OCSP response in data:

Solution was to change the break-conditions in Apache's mod_ssl (ssl_util_ocsp.c). The original code did break the loop reading response data from bucket to bio, if it read an EOF *or* it read data of length == 0. Now we got this strange responder, which sends 0 bytes in the first line of response. By only breaking the loop, if EOF is read, we get to the second (and third, until bucket is empty or an EOF is read) line of the response. And guess what's in the second line? :)

Thanks for the pointers to really check the data received!

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

________________________________________
Von: Natanael Mignon - michael-wessel.de [nm@...]
Gesendet: Freitag, 10. Juli 2009 09:35
An: openssl-users@...
Betreff: AW: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data

Updated details. If we do compare the two requests (one failing because of "not enough data", one working fine), there are obvious differences in receiving the response.

Working fine:
[Tue Jul 07 14:32:24 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140] sending request to OCSP responder
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Date: Tue, 07 Jul 2009 13:32:52 GMT
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Server: Apache-Coyote/1.1
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Type: application/ocsp-response
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Content-Length: 1585
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(208): [client 10.200.48.140] OCSP response header: Connection: close
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(250): [client 10.200.48.140] OCSP response: got 1585 bytes, 1585 total
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(258): [client 10.200.48.140] MWDE/nm: OCSP response in data: 0\x82\x06-\n\x01
[Tue Jul 07 14:32:25 2009] [debug] ssl_util_ocsp.c(234): [client 10.200.48.140] OCSP response: got EOF


Failing:
[Tue Jul 07 14:38:23 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Tue, 07 Jul 2009 13:38:51 GMT
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
[Tue Jul 07 14:38:24 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
[Tue Jul 07 14:38:24 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
[Tue Jul 07 14:38:24 2009] [error] [client 172.30.64.154] failed to decode OCSP response data

This actually looks like we do not receive any response data except headers. The code branch, where we print out the response data is not even called, because the receive-bucket seems to be empty after the headers have been read out (Apache/mod_ssl/ssl_util_ocsp.c, "while (!APR_BRIGADE_EMPTY(bb))" --> copies from bb to bio).

What disturbes me: Doing the same request from the same system with a generic OCSP-client (Java-based, using Bouncycastle-lib) works fine ("OCSP Response: GOOD").

Any ideas?

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

________________________________________
Von: owner-openssl-users@... [owner-openssl-users@...] im Auftrag von Dr. Stephen Henson [steve@...]
Gesendet: Freitag, 3. Juli 2009 18:39
An: openssl-users@...
Betreff: Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data


I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...



+----------------------------------------------------------------------+
| - michael-wessel.de Secure E-Mail Status -                           |
+----------------------------------------------------------------------+
| - Die Nachricht war weder verschluesselt noch digital unterschrieben |
+----------------------------------------------------------------------+

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...