[exim-dev] [Bug 1909] New: OCSP stapling failure with letsen…

Góra strony
Delete this message
Reply to this message
Autor: admin
Data:  
Dla: exim-dev
Temat: [exim-dev] [Bug 1909] New: OCSP stapling failure with letsencrypt
https://bugs.exim.org/show_bug.cgi?id=1909

            Bug ID: 1909
           Summary: OCSP stapling failure with letsencrypt
           Product: Exim
           Version: 4.87
          Hardware: All
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: pdp@???
          Reporter: renaud@???
                CC: exim-dev@???


I am having issues using OCSP stapling with a letsencrypt certificate, which
are common certificates nowadays.

I have loaded the proof with the following openssl command:
openssl ocsp -respout ocsp.der -no_nonce -issuer chain.pem -cert cert.pem -url
http://ocsp.int-x3.letsencrypt.org -header "HOST" "ocsp.int-x3.letsencrypt.org"
-verify_other chain.pem -rother chain.pem

As you can see, I have to use "-verify_other chain.pem" to be able to
get a positive verification for OCSP.

The problem I have now is that exim is unable to verify the signature. I have
added chain.pem in the tls_verify_certificates parameter (you need to do the
same in nginx for stapling to work), but it seems exim is not using the
tls_verify_certificates parameter to validate the OCSP signature.

in tls-openssl.c, OCSP_basic_verify is called (twice) with the second parameter
being a NULL.
i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);

In openssl source, you can see that the call should be something like:
OCSP_basic_verify(bs, verify_other, store, verify_flags);

So the NULL should probably be the content of tls_verify_certificates for OCSP
stapling to work.

--
You are receiving this mail because:
You are on the CC list for the bug.