On 19/04/16 10:57, Wolfgang Breyha wrote:
> Wolfgang Breyha wrote on 18/04/16 17:52:
>> Hi!
>>
>> I tried to set up OCSP stapling and had some surprises to overcome:
>>
>> I think the supplied script "ocsp_fetch.pl" will fail in many cases following
>> the included help.
>>
>> I took the openssl command it issues ...
>> # openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \
>> -respout <file>
>> and experimented until it worked for all of my certificates. Things I noticed
>> for openssl 1.0.1+:
>> *) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response
>> *) some OCSP servers need an undocumented "-header Host <hostname>"
>> option to get through to the correct virtual host (eg. globaltrust)
>> 404 Forbidden response otherwise
>> *) some OCSP servers answer with the response certificate to use for -VAfile
>> verification. (eg. alphassl/globalsign. I used -text first to get it.
>> *) for many OCSP servers it is sufficient to use the "-issuer" cert for
>> "-VAfile" as well to verify the response.
>
> Some further notes:
> *) -VAfile seems the same as "-trust_other -verify_other <PEM>"
> *) using "-verify_other <PEM> -CAfile <cert.bundle>" checks the chain as well
> and also works
>
> But in case the OCSP response is signed with an intermediate Cert which is not
> part of the Response Exim will not accept it. At least I found no way to
> successfully load such an OCSP response.
Mmmpff. Do you _want_ to trust it, when it's not signed by the CA for
the cert?
--
Jeremy