[exim] OCSP stapling

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-users
Subject: [exim] OCSP stapling
Hi!

I tried to set up OCSP stapling and had some surprises to overcome:

I think the supplied script "ocsp_fetch.pl" will fail in many cases following
the included help.

I took the openssl command it issues ...
# openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \
-respout <file>
and experimented until it worked for all of my certificates. Things I noticed
for openssl 1.0.1+:
*) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response
*) some OCSP servers need an undocumented "-header Host <hostname>"
option to get through to the correct virtual host (eg. globaltrust)
404 Forbidden response otherwise
*) some OCSP servers answer with the response certificate to use for -VAfile
verification. (eg. alphassl/globalsign. I used -text first to get it.
*) for many OCSP servers it is sufficient to use the "-issuer" cert for
"-VAfile" as well to verify the response.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria