On 04/18/2016 05:52 PM, Wolfgang Breyha wrote:
> Hi!
>
> I tried to set up OCSP stapling and had some surprises to overcome:
>
> I think the supplied script "ocsp_fetch.pl" will fail in many cases following
> the included help.
>
> I took the openssl command it issues ...
> # openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \
> -respout <file>
> and experimented until it worked for all of my certificates. Things I noticed
> for openssl 1.0.1+:
> *) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response
> *) some OCSP servers need an undocumented "-header Host <hostname>"
> option to get through to the correct virtual host (eg. globaltrust)
> 404 Forbidden response otherwise
> *) some OCSP servers answer with the response certificate to use for -VAfile
> verification. (eg. alphassl/globalsign. I used -text first to get it.
> *) for many OCSP servers it is sufficient to use the "-issuer" cert for
> "-VAfile" as well to verify the response.
>
> Greetings, Wolfgang
Hi,
i have a similar problem.
Some cert need -VAfile to verify ok, but than they will not be stapled
inside exim.
An exim debug shows:
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC
Event OCSP PRDR Experimental_SPF Experimental_DANE Experimental_DMARC
11:24:17 17373 tls_ocsp_file /etc/exim4/ocsp/ocspresponse
11:24:17 17373 OCSP response verify failure: error:27069076:OCSP
routines:OCSP_basic_verify:signer certificate not found
that is the same error, which can be seen when i just use the
ocsp_fetch.pl script without using -VAfile
"...OCSP_basic_verify:signer certificate not found..."
a cipherscan shows, that this cert will never staple OCSP in the
TLS-Connection.
cipherscan tributh.net:465
........
Target: tributh.net:465
prio ciphersuite protocols pubkey_size
signature_algoritm trusted ticket_hint ocsp_staple
pfs curves curves_ordering
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 4096
sha256WithRSAEncryption True None False
ECDH,P-384,384bits secp384r1 server
2 ECDHE-RSA-AES256-SHA384 TLSv1.2 4096
sha256WithRSAEncryption True None False
ECDH,P-384,384bits secp384r1 server
3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 4096
sha256WithRSAEncryption True None False
ECDH,P-384,384bits secp384r1 server
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
For this type of certs where a -VAfile option is needed to verify ok,
there is a patch for exim needed to verify also and staple afterwards.
--
Torsten