Hello,
I am having issues using OCSP stapling with a letsencrypt certificate,
which are common things nowadays.
I have loaded the proof with the following openssl command:
openssl ocsp -respout ocsp.der -no_nonce -issuer chain.pem -cert
cert.pem -url
http://ocsp.int-x3.letsencrypt.org -header "HOST"
"ocsp.int-x3.letsencrypt.org" -verify_other chain.pem -rother chain.pem
As you can see, I have to use "-verify_other chain.pem" to be able to
get a positive verification for OCSP.
The problem I have now is that exim is unable to verify the signature.
I have added chain.pem in the tls_verify_certificates parameter (you
need to do the same in nginx for stapling to work).
But it seems exim is not using the tls_verify_certificates parameter to
validate the OCSP signature.
in tls-openssl.c, OCSP_basic_verify is called (twice) with the second
parameter being a NULL.
i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
In openssl source, you can see that the call should be something like:
OCSP_basic_verify(bs, verify_other, store, verify_flags);
So the NULL should probably be tls_verify_certificates for OCSP stapling
to work.
Best Regards
