For unknown certificates OCSP should have unknown CertStatus (part 2) #4534
Commits on Aug 9, 2023
-
For unknown certificates OCSP should have unknown CertStatus (part 2)
The CA's internal OCSP fails to handle certs issued by an unknown CA. There is code in the CA's validation to handle that scenario but that validation is never triggered as the request handling code that wraps it considers not knowing the origin CA to be an error condition. The code is changed to allow the validating CA to proceed even if the origin CA is unknown, reporting Unknown for the CertStatus, while delegating to the origin CA if it is found.
Commits on Aug 10, 2023
-
Internal OCSP CA identification using request hash
In case of multiple CAs the correct one was selected using the first certificate. This could provide inconsistent. Now the selection is based on the request issuer name. Additionally, the output has been made consistent with the external OCSP for all the possibilities of subject and issuers.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.