[exim-dev] OCSP stapling failure with letsencrypt

Top Page
Delete this message
Reply to this message
Author: Renaud Allard
Date:  
To: exim-dev
Subject: [exim-dev] OCSP stapling failure with letsencrypt
Hello,

I am having issues using OCSP stapling with a letsencrypt certificate,
which are common things nowadays.

I have loaded the proof with the following openssl command:
openssl ocsp -respout ocsp.der -no_nonce -issuer chain.pem -cert
cert.pem -url http://ocsp.int-x3.letsencrypt.org -header "HOST"
"ocsp.int-x3.letsencrypt.org" -verify_other chain.pem -rother chain.pem

As you can see, I have to use "-verify_other chain.pem" to be able to
get a positive verification for OCSP.

The problem I have now is that exim is unable to verify the signature.
I have added chain.pem in the tls_verify_certificates parameter (you
need to do the same in nginx for stapling to work).

But it seems exim is not using the tls_verify_certificates parameter to
validate the OCSP signature.

in tls-openssl.c, OCSP_basic_verify is called (twice) with the second
parameter being a NULL.
i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);

In openssl source, you can see that the call should be something like:
OCSP_basic_verify(bs, verify_other, store, verify_flags);

So the NULL should probably be tls_verify_certificates for OCSP stapling
to work.

Best Regards