https://bugs.exim.org/show_bug.cgi?id=1909
--- Comment #1 from Jeremy Harris <jgh146exb@???> ---
It seems that LE sign the OCSP proof directly with their cert-signing key,
unlike other suppliers who maintain an intermediate OCSP-signing cert.
Possibly this makes sense with their lifetimes; it's a different approach to
key hygiene.
Then, what they supply is only the proof (versus proof plus OCSP-signing cert).
This mucked up Exim's verification of proofs (both loading into the server and
verifying in a client), under OpenSSL.
It seems that the OCSP_basic_verify() routine uses its first and second args
for verifying the trust chain to the proof, and the third only for technical
checks. If we construct a cert stack for the 2nd arg using the cert(s)
presented on the wire (client case) or in the server context store (server
case)
we seem to get a good verify for both, at least in a constructed situation in
the testsuite.
Lets hope it works with LetsEncrypt.
--
You are receiving this mail because:
You are on the CC list for the bug.