Re: [exim] OCSP stapling

Top Page
Delete this message
Reply to this message
Author: Exim Users
Date:  
To: exim-users
Subject: Re: [exim] OCSP stapling

On 04/18/2016 05:52 PM, Wolfgang Breyha wrote:
> Hi!
>
> I tried to set up OCSP stapling and had some surprises to overcome:
>
> I think the supplied script "ocsp_fetch.pl" will fail in many cases following
> the included help.
>
> I took the openssl command it issues ...
> # openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \
>  -respout <file>
> and experimented until it worked for all of my certificates. Things I noticed
> for openssl 1.0.1+:
> *) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response
> *) some OCSP servers need an undocumented "-header Host <hostname>"
>    option to get through to the correct virtual host (eg. globaltrust)
>    404 Forbidden response otherwise
> *) some OCSP servers answer with the response certificate to use for -VAfile
>    verification. (eg. alphassl/globalsign. I used -text first to get it.
> *) for many OCSP servers it is sufficient to use the "-issuer" cert for
>    "-VAfile" as well to verify the response.

>
> Greetings, Wolfgang

Hi,
i have a similar problem.
Some cert need -VAfile to verify ok, but than they will not be stapled
inside exim.
An exim debug shows:
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC
Event OCSP PRDR Experimental_SPF Experimental_DANE Experimental_DMARC
11:24:17 17373 tls_ocsp_file /etc/exim4/ocsp/ocspresponse
11:24:17 17373 OCSP response verify failure: error:27069076:OCSP
routines:OCSP_basic_verify:signer certificate not found

that is the same error, which can be seen when i just use the
ocsp_fetch.pl script without using -VAfile
"...OCSP_basic_verify:signer certificate not found..."

a cipherscan shows, that this cert will never staple OCSP in the
TLS-Connection.


cipherscan tributh.net:465
........
Target: tributh.net:465

prio  ciphersuite                  protocols              pubkey_size 
signature_algoritm       trusted  ticket_hint  ocsp_staple 
pfs                 curves     curves_ordering
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                4096        
sha256WithRSAEncryption  True     None         False       
ECDH,P-384,384bits  secp384r1  server
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                4096        
sha256WithRSAEncryption  True     None         False       
ECDH,P-384,384bits  secp384r1  server
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  4096        
sha256WithRSAEncryption  True     None         False       
ECDH,P-384,384bits  secp384r1  server


OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

For this type of certs where a -VAfile option is needed to verify ok,
there is a patch for exim needed to verify also and staple afterwards.

--
Torsten