Hi all,
I'm getting issue getting OCSP stapling working with exim 4.85.
$ exim -bV
Exim version 4.85 #2 built 01-Jun-2015 16:46:36
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2014
Berkeley DB: Berkeley DB 4.8.30: (2014-12-24)
Support for: crypteq iconv() IPv6 PAM OpenSSL Content_Scanning
Old_Demime PRDR OCSP Experimental_SPF Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch passwd
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim/exim.conf
Certificate chain is actually the following:
$ openssl x509 -in /etc/ssl/private/enlightenment.org.crt -noout
-subject -subject_hash -issuer -issuer_hash -ocsp_uri
subject= /OU=Domain Control Validated/OU=Gandi Standard Wildcard
SSL/CN=*.enlightenment.org
c1b3f093
issuer= /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
8544bf03
http://ocsp.usertrust.com
$ openssl x509 -in /etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -noout
-subject -subject_hash -issuer -issuer_hash -ocsp_uri
subject= /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
8544bf03
issuer= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
fc5a8f99
http://ocsp.usertrust.com
$ openssl x509 -in
/etc/ssl/private/USERTrust-RSA-Certification-Authority.crt -noout
-subject -subject_hash -issuer -issuer_hash -ocsp_uri
subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
fc5a8f99
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
157753a5
http://ocsp.usertrust.com
OCSP staple file is retrieved this way:
$ openssl ocsp -no_nonce -issuer
/etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -cert
/etc/ssl/private/enlightenment.org.pem -url http://ocsp.usertrust.com
-CAfile /etc/ssl/certs/ca-certificates.crt -VAfile
/etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -respout
/etc/ssl/private/enlightenment.org.pem.ocsp -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A5E2344EF5763A9CE2F31E9B9807B0075727A5F9
Issuer Key Hash: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
Serial Number: 399CBD9E8051AFD8F2F298421ECF6666
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
Produced At: Oct 31 03:46:35 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A5E2344EF5763A9CE2F31E9B9807B0075727A5F9
Issuer Key Hash: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
Serial Number: 399CBD9E8051AFD8F2F298421ECF6666
Cert Status: good
This Update: Oct 31 03:46:35 2015 GMT
Next Update: Nov 4 03:46:35 2015 GMT
Signature Algorithm: sha256WithRSAEncryption
65:ce:db:74:8e:bf:e8:95:5a:66:87:2d:01:57:07:d6:fd:58:
34:a9:f8:52:f7:d2:62:39:dd:92:e3:5d:d0:5c:a2:be:06:2c:
78:af:84:17:5f:1b:9d:ba:32:0d:af:6f:22:0e:e4:46:12:e8:
c3:ef:64:36:ca:29:7d:e0:a4:dd:4b:99:96:ed:72:e0:91:f3:
6c:24:06:a8:9c:14:be:b2:c6:e6:b2:3c:01:4c:87:f2:f7:25:
64:69:a0:a6:88:15:de:44:39:a3:10:39:b9:57:be:66:5e:20:
cb:7a:08:dd:42:6a:36:86:64:c5:fc:d5:0e:7a:a6:3e:0d:fb:
49:d8:68:94:a1:11:e5:e0:c1:d5:bd:db:37:a2:e9:70:44:f2:
a3:c0:bf:8c:53:b0:cf:fd:07:97:32:3d:b3:73:92:71:94:60:
c2:86:3c:c1:2a:29:53:11:af:5c:23:8d:bd:cf:0e:3b:c1:2b:
26:5c:ed:f5:96:be:18:45:ff:56:8f:85:f6:10:b4:c3:29:bc:
44:aa:d6:e2:0b:0b:c6:cc:69:e2:e8:07:3f:97:d2:c0:3b:dd:
ad:2d:a1:37:c7:bd:f8:d5:26:b2:28:a0:ce:30:48:ec:ab:49:
38:1d:09:6f:b1:d8:e2:61:18:5a:87:8e:bb:bc:64:b4:df:04:
13:44:fa:04
Response verify OK
/etc/ssl/private/enlightenment.org.pem: good
This Update: Oct 31 03:46:35 2015 GMT
Next Update: Nov 4 03:46:35 2015 GMT
As you can see, OCSP response is valid and fully verified, but Exim is
complaining with the following error with reading the OCSP file:
18086 OCSP response verify failure: error:27069076:OCSP
routines:OCSP_basic_verify:signer certificate not found
I tried to append to the file the DER format of every certs until the to
the CA with no success.
The same OCSP file is used by haproxy to deliver OCSP stapling for HTTP
and it actually works great.
Is OCSP_basic_verify enough for looking if the OCSP file is correct or
not ?
Thanks!
--
Bertrand