[exim-dev] [Bug 1909] OCSP stapling failure with letsencrypt

Page principale
Supprimer ce message
Répondre à ce message
Auteur: admin
Date:  
À: exim-dev
Sujet: [exim-dev] [Bug 1909] OCSP stapling failure with letsencrypt
https://bugs.exim.org/show_bug.cgi?id=1909

--- Comment #1 from Jeremy Harris <jgh146exb@???> ---
It seems that LE sign the OCSP proof directly with their cert-signing key,
unlike other suppliers who maintain an intermediate OCSP-signing cert.
Possibly this makes sense with their lifetimes; it's a different approach to
key hygiene.

Then, what they supply is only the proof (versus proof plus OCSP-signing cert).
This mucked up Exim's verification of proofs (both loading into the server and
verifying in a client), under OpenSSL.

It seems that the OCSP_basic_verify() routine uses its first and second args
for verifying the trust chain to the proof, and the third only for technical
checks. If we construct a cert stack for the 2nd arg using the cert(s)
presented on the wire (client case) or in the server context store (server
case)
we seem to get a good verify for both, at least in a constructed situation in
the testsuite.

Lets hope it works with LetsEncrypt.

--
You are receiving this mail because:
You are on the CC list for the bug.