Hi,
i have a problem to become OCSP Stapling working.
I used the last exim version from github
exim --version
Exim version 4.86TT #3 built 28-Apr-2015 22:49:43
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2014
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM PRDR
OCSP Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim4/exim4.conf
I used the sample perl ocsp_fetch.pl to receive the OSCP Answer from the CA.
and put the result in /etc/exim4/ocsp/ocspresponse
and configured that in the main config.
exim -bP tls_ocsp_file
tls_ocsp_file = /etc/exim4/ocsp/ocspresponse
to check and compare the OCSP result i wrote a litte script:
#!/bin/sh
hostport=$1
openssl s_client -connect $hostport 2>&1 < /dev/null | sed -n
'/-----BEGIN/,/-----END/p' >cert
openssl x509 -noout -ocsp_uri -in cert
url=`openssl x509 -noout -ocsp_uri -in cert`
openssl s_client -connect $hostport -showcerts 2>&1 < /dev/null | sed -n
'/-----BEGIN/,/-----END/p' >chain
csplit chain '/-----BEGIN CERTIFICATE-----/' {*}
openssl ocsp -issuer xx02 -cert cert -url $url -CAfile ca-certs.pem
-nonce -respout /etc/exim4/ocsp/ocspresponse -VAfile xx02
with $1 = tributh.net:465
which is remotely usable and gives me the same result like the former
told perl script.
With a cipherscan i can see that OCSP Stapling is not working.
cipherscan from
https://github.com/jvehent/cipherscan
You can for example make a check with
cipherscan -starttls smtp tributh.net:25
or just
cipherscan tributh.net:465
Is there anything i forget ?
Regards Torsten
