[Pkg-openssl-devel] Bug#632833: openssl: OCSP responder 1.x listening on localhost ipv6

[Kai Hendry]

Package: openssl
Version: 0.9.8o-4squeeze1
Severity: normal


After upgrading to OpenSSL 1.0.0d-3, I noticed two problems over 0.9.8:
1) OCSP server only uses ipv6
2) OCSP server only binds to localhost

I worked around the ipv6 issue by disabling ipv6 altogether on the
Debian host.

The second issue was worked around by downloading/building the source
from http://www.openssl.org/source/openssl-1.0.0d.tar.gz not using the
debian packaging, since I'm not sure how it works with that subversion
stuff tbh. After installing it into /usr/local/ssl/bin/openssl, it now
successfully binds to * (INADDR_ANY, IIUC).

I next tried to work out how the Debian pacakge patches
crypto/bio/b_sock.c if at all. And I couldn't see any changes there. So
I'm at a loss.

Unfortunately testing the OCSP responder is a bit tricky, since you need
a bunch of keys setup. Example invocation I'm using is:

	sudo /usr/local/ssl/bin/openssl ocsp -index demoCA/index.txt -port 8080 -rsigner demoCA/rsigner.pem -rkey demoCA/rkey-unencrypted.pem -CA demoCA/CA.pem -text -ndays 7

Many thanks,


-- System Information:
Debian Release: 6.0.1
  APT prefers stable
  APT policy: (700, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-xen-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8o-4squeeze1 SSL shared libraries
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates            20090814+nmu2 Common CA certificates

-- Configuration Files:
/etc/ssl/openssl.cnf changed [not included]

-- no debconf information