« Return to Thread: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
Re: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
by Dr. Stephen Henson
::
Rate this Message:
On Fri, Jul 03, 2009, Natanael Mignon - michael-wessel.de wrote:
> Dear list,
>
> regarding the same project as my last question, we are many steps further by now.
>
> Situation is as follows: Apache with mod_proxy and mod_ssl authenticates Client by certificate including online OCSP request. OCSP uri is correct, response is received, but then:
>
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Fri, 03 Jul 2009 11:37:54 GMT
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
> [Fri Jul 03 12:37:27 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
> [Fri Jul 03 12:37:27 2009] [error] [client 172.30.64.154] failed to decode OCSP response data
>
>
>
> I have traced the failing call so far:
>
>
>
> Apache ssl_util_ocsp.c:
>
>
>
> response = d2i_OCSP_RESPONSE_bio(bio, NULL);
>
> if (response == NULL) {
> ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
> ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
> "failed to decode OCSP response data");
> }
>
>
>
> OpenSSL 0.9.8d crypto/ocsp/ocsp.h:
>
>
>
> #define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
>
>
>
> Here I am really lost. What data is required to decode the response, what could be missing? First ideas are corrupt certificates - sounds reasonable also, because with a different client certificate issued by a different CA and therefore validated against a different OCSP responder everything works okay. But what certificates are required for decoding the response data here? The OCSP responder's signing certificate?
>
>
> Any help is highly appreciated, thanks in advance!
>
I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
> Dear list,
>
> regarding the same project as my last question, we are many steps further by now.
>
> Situation is as follows: Apache with mod_proxy and mod_ssl authenticates Client by certificate including online OCSP request. OCSP uri is correct, response is received, but then:
>
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Fri, 03 Jul 2009 11:37:54 GMT
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF
> [Fri Jul 03 12:37:27 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
> [Fri Jul 03 12:37:27 2009] [error] [client 172.30.64.154] failed to decode OCSP response data
>
>
>
> I have traced the failing call so far:
>
>
>
> Apache ssl_util_ocsp.c:
>
>
>
> response = d2i_OCSP_RESPONSE_bio(bio, NULL);
>
> if (response == NULL) {
> ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
> ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
> "failed to decode OCSP response data");
> }
>
>
>
> OpenSSL 0.9.8d crypto/ocsp/ocsp.h:
>
>
>
> #define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
>
>
>
> Here I am really lost. What data is required to decode the response, what could be missing? First ideas are corrupt certificates - sounds reasonable also, because with a different client certificate issued by a different CA and therefore validated against a different OCSP responder everything works okay. But what certificates are required for decoding the response data here? The OCSP responder's signing certificate?
>
>
> Any help is highly appreciated, thanks in advance!
>
I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...
« Return to Thread: Decoding OCSP response data: ASN1_D2I_READ_BIO:not enough data
| Free embeddable forum powered by Nabble | Forum Help |
