[exim-dev] OCSP Stapling issue

Top Page
Delete this message
Reply to this message
Author: Bertrand Jacquin
Date:  
To: exim-dev
Subject: [exim-dev] OCSP Stapling issue
Hi all,

I'm getting issue getting OCSP stapling working with exim 4.85.

$ exim -bV
Exim version 4.85 #2 built 01-Jun-2015 16:46:36
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2014
Berkeley DB: Berkeley DB 4.8.30: (2014-12-24)
Support for: crypteq iconv() IPv6 PAM OpenSSL Content_Scanning
Old_Demime PRDR OCSP Experimental_SPF Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch passwd
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim/exim.conf

Certificate chain is actually the following:

$ openssl x509 -in /etc/ssl/private/enlightenment.org.crt -noout
-subject -subject_hash -issuer -issuer_hash -ocsp_uri
subject= /OU=Domain Control Validated/OU=Gandi Standard Wildcard
SSL/CN=*.enlightenment.org
c1b3f093
issuer= /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
8544bf03
http://ocsp.usertrust.com

$ openssl x509 -in /etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -noout
-subject -subject_hash -issuer -issuer_hash -ocsp_uri
subject= /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
8544bf03
issuer= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
fc5a8f99
http://ocsp.usertrust.com

$ openssl x509 -in
/etc/ssl/private/USERTrust-RSA-Certification-Authority.crt -noout
-subject -subject_hash -issuer -issuer_hash -ocsp_uri
subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
fc5a8f99
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
157753a5
http://ocsp.usertrust.com

OCSP staple file is retrieved this way:

$ openssl ocsp -no_nonce -issuer 
/etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -cert 
/etc/ssl/private/enlightenment.org.pem -url http://ocsp.usertrust.com 
-CAfile /etc/ssl/certs/ca-certificates.crt -VAfile 
/etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -respout 
/etc/ssl/private/enlightenment.org.pem.ocsp -text
OCSP Request Data:
     Version: 1 (0x0)
     Requestor List:
         Certificate ID:
           Hash Algorithm: sha1
           Issuer Name Hash: A5E2344EF5763A9CE2F31E9B9807B0075727A5F9
           Issuer Key Hash: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
           Serial Number: 399CBD9E8051AFD8F2F298421ECF6666
OCSP Response Data:
     OCSP Response Status: successful (0x0)
     Response Type: Basic OCSP Response
     Version: 1 (0x0)
     Responder Id: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
     Produced At: Oct 31 03:46:35 2015 GMT
     Responses:
     Certificate ID:
       Hash Algorithm: sha1
       Issuer Name Hash: A5E2344EF5763A9CE2F31E9B9807B0075727A5F9
       Issuer Key Hash: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
       Serial Number: 399CBD9E8051AFD8F2F298421ECF6666
     Cert Status: good
     This Update: Oct 31 03:46:35 2015 GMT
     Next Update: Nov  4 03:46:35 2015 GMT


     Signature Algorithm: sha256WithRSAEncryption
          65:ce:db:74:8e:bf:e8:95:5a:66:87:2d:01:57:07:d6:fd:58:
          34:a9:f8:52:f7:d2:62:39:dd:92:e3:5d:d0:5c:a2:be:06:2c:
          78:af:84:17:5f:1b:9d:ba:32:0d:af:6f:22:0e:e4:46:12:e8:
          c3:ef:64:36:ca:29:7d:e0:a4:dd:4b:99:96:ed:72:e0:91:f3:
          6c:24:06:a8:9c:14:be:b2:c6:e6:b2:3c:01:4c:87:f2:f7:25:
          64:69:a0:a6:88:15:de:44:39:a3:10:39:b9:57:be:66:5e:20:
          cb:7a:08:dd:42:6a:36:86:64:c5:fc:d5:0e:7a:a6:3e:0d:fb:
          49:d8:68:94:a1:11:e5:e0:c1:d5:bd:db:37:a2:e9:70:44:f2:
          a3:c0:bf:8c:53:b0:cf:fd:07:97:32:3d:b3:73:92:71:94:60:
          c2:86:3c:c1:2a:29:53:11:af:5c:23:8d:bd:cf:0e:3b:c1:2b:
          26:5c:ed:f5:96:be:18:45:ff:56:8f:85:f6:10:b4:c3:29:bc:
          44:aa:d6:e2:0b:0b:c6:cc:69:e2:e8:07:3f:97:d2:c0:3b:dd:
          ad:2d:a1:37:c7:bd:f8:d5:26:b2:28:a0:ce:30:48:ec:ab:49:
          38:1d:09:6f:b1:d8:e2:61:18:5a:87:8e:bb:bc:64:b4:df:04:
          13:44:fa:04
Response verify OK
/etc/ssl/private/enlightenment.org.pem: good
         This Update: Oct 31 03:46:35 2015 GMT
         Next Update: Nov  4 03:46:35 2015 GMT


As you can see, OCSP response is valid and fully verified, but Exim is
complaining with the following error with reading the OCSP file:

18086 OCSP response verify failure: error:27069076:OCSP
routines:OCSP_basic_verify:signer certificate not found

I tried to append to the file the DER format of every certs until the to
the CA with no success.

The same OCSP file is used by haproxy to deliver OCSP stapling for HTTP
and it actually works great.

Is OCSP_basic_verify enough for looking if the OCSP file is correct or
not ?

Thanks!

--
Bertrand