Re: [exim] OCSP stapling

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Wolfgang Breyha
Datum:  
To: exim-users
Betreff: Re: [exim] OCSP stapling
Wolfgang Breyha wrote on 18/04/16 17:52:
> Hi!
>
> I tried to set up OCSP stapling and had some surprises to overcome:
>
> I think the supplied script "ocsp_fetch.pl" will fail in many cases following
> the included help.
>
> I took the openssl command it issues ...
> # openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \
>  -respout <file>
> and experimented until it worked for all of my certificates. Things I noticed
> for openssl 1.0.1+:
> *) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response
> *) some OCSP servers need an undocumented "-header Host <hostname>"
>    option to get through to the correct virtual host (eg. globaltrust)
>    404 Forbidden response otherwise
> *) some OCSP servers answer with the response certificate to use for -VAfile
>    verification. (eg. alphassl/globalsign. I used -text first to get it.
> *) for many OCSP servers it is sufficient to use the "-issuer" cert for
>    "-VAfile" as well to verify the response.


Some further notes:
*) -VAfile seems the same as "-trust_other -verify_other <PEM>"
*) using "-verify_other <PEM> -CAfile <cert.bundle>" checks the chain as well
and also works

But in case the OCSP response is signed with an intermediate Cert which is not
part of the Response Exim will not accept it. At least I found no way to
successfully load such an OCSP response.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria