OCSP: opt-in fail-closed on missing responder#10945
Conversation
WOLFSSL_OCSP_CHECKALL is a scope flag ("always leaf, but all ?"), selecting
which certs are checked, not how hard to fail when one advertises no OCSP
responder in its AIA. Treating a missing responder as a hard failure breaks
any chain whose CA publishes no OCSP URI (e.g. Google GTS WR2), a
configuration that only grows as CAs drop responders. Strictness belongs in
its own opt-in flag.
- Keep CHECKALL scope-only; a cert with no responder soft-fails by default.
- Return distinct OCSP_NO_URL for "no responder", separate from a failed
lookup; stapling response handling stays best-effort (mapped to CERT_GOOD).
- Add WOLFSSL_OCSP_FAIL_IF_NOT_SUPPORTED (via OcspNoUrlPolicy) to refuse such
certs; independent of CHECKALL.
- Add test_ocsp_no_url_policy covering both halves.
There was a problem hiding this comment.
Pull request overview
This PR adjusts wolfSSL’s OCSP verification semantics so that WOLFSSL_OCSP_CHECKALL remains a scope flag (which certificates are checked) rather than implicitly changing failure policy when a certificate has no OCSP responder URL (no AIA OCSP URI). It introduces a new opt-in flag to fail-closed specifically on “no responder URL” cases, and adds a regression test to prevent reintroducing hard-fail behavior by default.
Changes:
- Add
WOLFSSL_OCSP_FAIL_IF_NOT_SUPPORTEDto opt-in to fail-closed when a cert advertises no OCSP responder (no URL and no override). - Introduce distinct return code
OCSP_NO_URLfor “no responder URL,” and centralize policy mapping viaOcspNoUrlPolicy(). - Update OCSP stapling and verification call paths to treat
OCSP_NO_URLas best-effort by default, while honoring the new opt-in policy; addtest_ocsp_no_url_policy.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/ssl.h |
Adds the new OCSP option flag and clarifies CHECKALL semantics in comments. |
wolfssl/ocsp.h |
Declares OcspNoUrlPolicy() for internal policy mapping. |
wolfssl/internal.h |
Adds cert-manager state bit for fail-closed-on-no-responder policy. |
wolfssl/error-ssl.h |
Introduces OCSP_NO_URL error code and updates WOLFSSL_LAST_E. |
src/ocsp.c |
Returns OCSP_NO_URL on missing responder URL and adds OcspNoUrlPolicy() helper. |
src/ssl_certman.c |
Wires new option into cert manager and applies policy during OCSP checks. |
src/tls.c |
Applies policy to client fallback leaf OCSP lookups; keeps stapling best-effort. |
src/internal.c |
Applies policy to non-stapling verification paths and treats OCSP_NO_URL as best-effort for stapling; adds error-string mapping. |
tests/api/test_ocsp.h |
Declares new test entry point. |
tests/api/test_ocsp.c |
Adds regression test covering default soft-fail vs opt-in fail-closed behavior. |
tests/api.c |
Registers the new OCSP test in the API test suite. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10945
Scan targets checked: wolfcrypt-rs-bugs, wolfssl-bugs, wolfssl-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
Description
WOLFSSL_OCSP_CHECKALL is a scope flag ("always leaf, but all ?"), selecting which certs are checked, not how hard to fail when one advertises no OCSP responder in its AIA. Treating a missing responder as a hard failure breaks any chain whose CA publishes no OCSP URI (e.g. Google GTS WR2), a configuration that only grows as CAs drop responders. Strictness belongs in its own opt-in flag.
Testing
Added a new test for the new option to make sure it sets correctly. Also ran the build test that was failing with and without the new flag that triggers the error that was the problem.
Checklist