Hello Roumen,

first of all, very thanks for your X509 OpenSSH patch. It is very nice,
and works very good except but one point (at least, the only one I found
at the moment ;) I had trouble with the OCSP part, when VAType is
defined to ocspcert, and the certificate have an URL other than '/', the
ssh_get_ocsp_response function extract the path from certificate without
the leading slash, which result an http error 'Invalid URL', and invalid
the certificate.

Here an extract from an ethereal capture :

POST ejbca/publicweb/status/ocsp HTTP/1.0

While the certificate defined :

Authority Information Access:
 OCSP - URI:http://ejbca.asyd.net:8080/ejbca/publicweb/status/ocsp

That's why I do a little hack, which give :

   /*
    * OCSP_sendreq_bio accpet null as path argument but if path
    * is null http request will contain <NULL> what is incorrect.
    */
   if (conn->path) {
      /* Add leading slash */
      char *buffer;
      buffer = xmalloc(strlen(conn->path) + 2);
      sprintf(buffer, "/%s", conn->path);
      resp = OCSP_sendreq_bio(bio_conn, buffer , req);
      xfree(buffer);
   } else {
      resp = OCSP_sendreq_bio(bio_conn, "/", req);
   }
   if (resp == NULL) {
      openssl_error("ssh_ocsp_get_response", "OCSP_sendreq_bio");
   }

Though, I not a real C developer, I guess wou need to correct it.
Moroever, I noticed you don't the OCSP_parse_url defined in OpenSSL,
maybe you should.


Thanks you very much again for your patch.


-- 
http://asyd.net/home/   - Home Page
http://guses.org/home/  - French Speaking Solaris User Group