openbao icon indicating copy to clipboard operation
openbao copied to clipboard

Published 20 hours ago verified publisher icon openbao

Ensure OSCP response is signed by correct issuer

Open JanMa opened this issue 10 months ago • 4 comments

This has been fixed in Vault 1.14.10 and we should fix it as well.

JanMa avatar Apr 04 '24 20:04 JanMa

See also https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573

cipherboy avatar Apr 04 '24 22:04 cipherboy

Hello all,

I can take this bug, if you want. @naphelps , if no objection, could you assign me this bug ?

Thanks!

DanGhita avatar Apr 11 '24 12:04 DanGhita

@DanGhita This is rather complicated; let's chat about this one online sometime. I have a reproducer, and while I conceptually know the fix, fixing this doesn't really accomplish much, IMHO. I think the OCSP ecosystem needs additional changes.

Mind sending me an email and we can decide on times?

cipherboy avatar Apr 11 '24 13:04 cipherboy

OK @cipherboy , no problem.

DanGhita avatar Apr 11 '24 13:04 DanGhita