Skip to content

OCSP: opt-in fail-closed on missing responder#10945

Open
ejohnstown wants to merge 1 commit into
wolfSSL:masterfrom
ejohnstown:ocsp-fail
Open

OCSP: opt-in fail-closed on missing responder#10945
ejohnstown wants to merge 1 commit into
wolfSSL:masterfrom
ejohnstown:ocsp-fail

Conversation

@ejohnstown

Copy link
Copy Markdown
Contributor

Description

WOLFSSL_OCSP_CHECKALL is a scope flag ("always leaf, but all ?"), selecting which certs are checked, not how hard to fail when one advertises no OCSP responder in its AIA. Treating a missing responder as a hard failure breaks any chain whose CA publishes no OCSP URI (e.g. Google GTS WR2), a configuration that only grows as CAs drop responders. Strictness belongs in its own opt-in flag.

  • Keep CHECKALL scope-only; a cert with no responder soft-fails by default.
  • Return distinct OCSP_NO_URL for "no responder", separate from a failed lookup; stapling response handling stays best-effort (mapped to CERT_GOOD).
  • Add WOLFSSL_OCSP_FAIL_IF_NOT_SUPPORTED (via OcspNoUrlPolicy) to refuse such certs; independent of CHECKALL.
  • Add test_ocsp_no_url_policy covering both halves.

Testing

Added a new test for the new option to make sure it sets correctly. Also ran the build test that was failing with and without the new flag that triggers the error that was the problem.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

WOLFSSL_OCSP_CHECKALL is a scope flag ("always leaf, but all ?"), selecting
which certs are checked, not how hard to fail when one advertises no OCSP
responder in its AIA. Treating a missing responder as a hard failure breaks
any chain whose CA publishes no OCSP URI (e.g. Google GTS WR2), a
configuration that only grows as CAs drop responders. Strictness belongs in
its own opt-in flag.

- Keep CHECKALL scope-only; a cert with no responder soft-fails by default.
- Return distinct OCSP_NO_URL for "no responder", separate from a failed
  lookup; stapling response handling stays best-effort (mapped to CERT_GOOD).
- Add WOLFSSL_OCSP_FAIL_IF_NOT_SUPPORTED (via OcspNoUrlPolicy) to refuse such
  certs; independent of CHECKALL.
- Add test_ocsp_no_url_policy covering both halves.
Copilot AI review requested due to automatic review settings July 17, 2026 20:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts wolfSSL’s OCSP verification semantics so that WOLFSSL_OCSP_CHECKALL remains a scope flag (which certificates are checked) rather than implicitly changing failure policy when a certificate has no OCSP responder URL (no AIA OCSP URI). It introduces a new opt-in flag to fail-closed specifically on “no responder URL” cases, and adds a regression test to prevent reintroducing hard-fail behavior by default.

Changes:

  • Add WOLFSSL_OCSP_FAIL_IF_NOT_SUPPORTED to opt-in to fail-closed when a cert advertises no OCSP responder (no URL and no override).
  • Introduce distinct return code OCSP_NO_URL for “no responder URL,” and centralize policy mapping via OcspNoUrlPolicy().
  • Update OCSP stapling and verification call paths to treat OCSP_NO_URL as best-effort by default, while honoring the new opt-in policy; add test_ocsp_no_url_policy.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
wolfssl/ssl.h Adds the new OCSP option flag and clarifies CHECKALL semantics in comments.
wolfssl/ocsp.h Declares OcspNoUrlPolicy() for internal policy mapping.
wolfssl/internal.h Adds cert-manager state bit for fail-closed-on-no-responder policy.
wolfssl/error-ssl.h Introduces OCSP_NO_URL error code and updates WOLFSSL_LAST_E.
src/ocsp.c Returns OCSP_NO_URL on missing responder URL and adds OcspNoUrlPolicy() helper.
src/ssl_certman.c Wires new option into cert manager and applies policy during OCSP checks.
src/tls.c Applies policy to client fallback leaf OCSP lookups; keeps stapling best-effort.
src/internal.c Applies policy to non-stapling verification paths and treats OCSP_NO_URL as best-effort for stapling; adds error-string mapping.
tests/api/test_ocsp.h Declares new test entry point.
tests/api/test_ocsp.c Adds regression test covering default soft-fail vs opt-in fail-closed behavior.
tests/api.c Registers the new OCSP test in the API test suite.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions

Copy link
Copy Markdown

MemBrowse Memory Report

gcc-arm-cortex-m4

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +31 B (+0.0%, 200,685 B / 262,144 B, total: 77% used)

gcc-arm-cortex-m4-openssl-compat

  • FLASH: .rodata +32 B (+0.0%, 771,588 B / 1,048,576 B, total: 74% used)

gcc-arm-cortex-m4-pq

  • FLASH: .rodata +24 B (+0.0%, 279,824 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m4-rsa-only

  • FLASH: .rodata +32 B, .text +128 B (+0.0%, 325,560 B / 1,048,576 B, total: 31% used)

gcc-arm-cortex-m4-tls13

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +31 B (+0.0%, 236,511 B / 262,144 B, total: 90% used)

gcc-arm-cortex-m7

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +31 B, .text +64 B (+0.0%, 200,685 B / 262,144 B, total: 77% used)

gcc-arm-cortex-m7-pq

  • FLASH: .rodata +24 B (+0.0%, 280,400 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m7-tls13

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +31 B, .text +64 B (+0.0%, 236,575 B / 262,144 B, total: 90% used)

linuxkm-standard

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10945

Scan targets checked: wolfcrypt-rs-bugs, wolfssl-bugs, wolfssl-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread tests/api/test_ocsp.c
Comment thread src/ocsp.c
@ejohnstown
ejohnstown requested review from embhorn and julek-wolfssl and removed request for embhorn and julek-wolfssl July 17, 2026 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants