[exim] OCSP Stapling

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: T.Tributh
Dátum:  
Címzett: Exim-users
Tárgy: [exim] OCSP Stapling
Hi,
i have a problem to become OCSP Stapling working.

I used the last exim version from github

exim --version
Exim version 4.86TT #3 built 28-Apr-2015 22:49:43
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2014
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM PRDR
OCSP Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim4/exim4.conf


I used the sample perl ocsp_fetch.pl to receive the OSCP Answer from the CA.
and put the result in /etc/exim4/ocsp/ocspresponse
and configured that in the main config.

exim -bP tls_ocsp_file
tls_ocsp_file = /etc/exim4/ocsp/ocspresponse


to check and compare the OCSP result i wrote a litte script:



#!/bin/sh
hostport=$1
openssl s_client -connect $hostport 2>&1 < /dev/null | sed -n
'/-----BEGIN/,/-----END/p' >cert
openssl x509 -noout -ocsp_uri -in cert
url=`openssl x509 -noout -ocsp_uri -in cert`
openssl s_client -connect $hostport -showcerts 2>&1 < /dev/null | sed -n
'/-----BEGIN/,/-----END/p' >chain
csplit chain '/-----BEGIN CERTIFICATE-----/' {*}
openssl ocsp -issuer xx02 -cert cert -url $url -CAfile ca-certs.pem
-nonce -respout /etc/exim4/ocsp/ocspresponse -VAfile xx02


with $1 = tributh.net:465


which is remotely usable and gives me the same result like the former
told perl script.


With a cipherscan i can see that OCSP Stapling is not working.

cipherscan from https://github.com/jvehent/cipherscan

You can for example make a check with

cipherscan -starttls smtp tributh.net:25
or just
cipherscan tributh.net:465

Is there anything i forget ?

Regards Torsten