[exim-dev] [Bug 1909] OCSP stapling failure with letsencrypt

Góra strony
Delete this message
Reply to this message
Autor: admin
Data:  
Dla: exim-dev
Temat: [exim-dev] [Bug 1909] OCSP stapling failure with letsencrypt
https://bugs.exim.org/show_bug.cgi?id=1909

--- Comment #1 from Jeremy Harris <jgh146exb@???> ---
It seems that LE sign the OCSP proof directly with their cert-signing key,
unlike other suppliers who maintain an intermediate OCSP-signing cert.
Possibly this makes sense with their lifetimes; it's a different approach to
key hygiene.

Then, what they supply is only the proof (versus proof plus OCSP-signing cert).
This mucked up Exim's verification of proofs (both loading into the server and
verifying in a client), under OpenSSL.

It seems that the OCSP_basic_verify() routine uses its first and second args
for verifying the trust chain to the proof, and the third only for technical
checks. If we construct a cert stack for the 2nd arg using the cert(s)
presented on the wire (client case) or in the server context store (server
case)
we seem to get a good verify for both, at least in a constructed situation in
the testsuite.

Lets hope it works with LetsEncrypt.

--
You are receiving this mail because:
You are on the CC list for the bug.