grimm-co / gocsp-responder Goto Github PK

Hi,

I'm facing an issue again. I tested the setup with Firefox to see if the repsonder works properly with browser requests as well. Unfortunately it does not. Requests comming from Firefox result in:

http: panic serving 1.2.3.4:1234: runtime error: invalid memory address or nil pointer dereference

Here is a trace from the log file:

2017/03/03 14:03:02 Got POST request from 1.2.3.4:1234
2017/03/03 14:03:02 Looking for serial ...
2017/03/03 14:03:02 Found entry &{...}
2017/03/03 14:03:02 This certificate is valid
2017/03/03 14:03:02 http: panic serving 1.2.3.4:1234: runtime error: invalid memory address or nil pointer dereference
goroutine XX [running]:
net/http.(*conn).serve.func1(...)
        /path/to/go/src/net/http/server.go:1721 ...
panic(...)
        /path/to/go/src/runtime/panic.go:489 ...
gocsp-responder/responder.(*OCSPResponder).verify(...)
        /path/to/gocsp-responder/responder/responder.go:307 ...
gocsp-responder/responder.(*OCSPResponder).makeHandler.func1(...)
        /path/to/gocsp-responder/responder/responder.go:100 ...
net/http.HandlerFunc.ServeHTTP(...)
        /path/to/go/src/net/http/server.go:1942 ...
net/http.(*ServeMux).ServeHTTP(...)
        /path/to/go/src/net/http/server.go:2238 ...
net/http.serverHandler.ServeHTTP(...)
        /path/to/go/src/net/http/server.go:2568 ...
net/http.(*conn).serve(...)
        /path/to/go/src/net/http/server.go:1825 ...
created by net/http.(*Server).Serve
        /path/to/go/src/net/http/server.go:2668 ...

The same happens with GET requests comming from Microsoft CryptoAPI.

Please let me know if you need any further information.

Thanks!

Hi,

First of all I would like to thank you for this great project - exactly what I have been looking for. However, I am facing the issue that I am unable to check the status of any certificate using openssl ocsp command because GOSCP is always complaining with "Issuer name does not match". Checking the same certificate with the OpenSSL OCSP Server using the same index file, CA file, rcert and rkey is working fine. What am I doing wrong?

Thank you!

Hi,

I was just testing with a certificate with a 16 bytes serial number using openssl ocsp command. In the responder log I can see: Looking for serial 0xa737f5dbf1d133b3 In fact the serial is twice the size. The first 8 bytes seem to be cut off. Therefore the verification fails. Is this an issue with the responder or openssl? It works just fine if i remove the first 8 bytes in the index file.

Thanks!

EDIT: Corrected "bits" to "bytes"

Hi,

I'm just wondering if it was possible to serve OCSP repsonses for multiple intermediate CAs. How to configure this when there are multiple DBs and CA certs?

Thanks!

Would it be possible to reference a signed CRL rather than a txt file?
Also, it would be great to be able to provide an encrypted signing key and provide the passphrase in an environment variable or something.

Great project btw,
thanks!