-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem with small certificate serial numbers #5
Comments
Hi, |
I think your change should work. But I have already adapted your source code to my needs: |
@augenblickliebhaber I suppose it would be nice when you could create a merge request, so that the original author (or other users) can decide. |
I have created a fork with the adapted source code: https://github.com/augenblickliebhaber/ocsp_proxy |
Thanks for sharing. I like the idea of using an own thread for writing to redis.
|
Thanks for the hint, that Redis is able do handle concurrent write accesses on its own. The problem for me was, that the lock in your source code blocked access to all database entries and not just the one, that was used. During access (read or write) to a single entry, your lock also blocks access (read or write) to all other cache entries. The problem with the multiple (and unnecessary) responder request, you described, is not so bad for me. |
Certificates of my own PKI have small serial numbers (less than 256). Because of this there is a problem in line 409:
$ocsp_req->{'tbsRequest'}->{'requestList'}->[0]->{'reqCert'}->{'serialNumber'}->as_hex;
I think the ASN1 parser does not convert small serial numbers into an object but into an integer value that has no method.
So I get this error for a certificate with serial number 49 (decimal):
Thread 2 terminated abnormally: Can't locate object method "as_hex" via package "49" (perhaps you forgot to load "49"?) at /usr/local/sbin/ocsp_proxy line 409.
Perhaps it is better not to convert the serial numbers to hexadecimal values for the cache key, and use
'_' . $ocsp_req->{'tbsRequest'}->{'requestList'}->[0]->{'reqCert'}->{'serialNumber'};
instead in line 409, so it will work for small and for large serial numbers.
The text was updated successfully, but these errors were encountered: