https://bugs.exim.org/show_bug.cgi?id=1909
Bug ID: 1909
Summary: OCSP stapling failure with letsencrypt
Product: Exim
Version: 4.87
Hardware: All
OS: All
Status: NEW
Severity: bug
Priority: medium
Component: TLS
Assignee: pdp@???
Reporter: renaud@???
CC: exim-dev@???
I am having issues using OCSP stapling with a letsencrypt certificate, which
are common certificates nowadays.
I have loaded the proof with the following openssl command:
openssl ocsp -respout ocsp.der -no_nonce -issuer chain.pem -cert cert.pem -url
http://ocsp.int-x3.letsencrypt.org -header "HOST" "ocsp.int-x3.letsencrypt.org"
-verify_other chain.pem -rother chain.pem
As you can see, I have to use "-verify_other chain.pem" to be able to
get a positive verification for OCSP.
The problem I have now is that exim is unable to verify the signature. I have
added chain.pem in the tls_verify_certificates parameter (you need to do the
same in nginx for stapling to work), but it seems exim is not using the
tls_verify_certificates parameter to validate the OCSP signature.
in tls-openssl.c, OCSP_basic_verify is called (twice) with the second parameter
being a NULL.
i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
In openssl source, you can see that the call should be something like:
OCSP_basic_verify(bs, verify_other, store, verify_flags);
So the NULL should probably be the content of tls_verify_certificates for OCSP
stapling to work.
--
You are receiving this mail because:
You are on the CC list for the bug.
