https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
--- Comment #4 from ulf wahlqvist <[email protected]> 2010-08-27 11:23:50 EDT --- (In reply to comment #3) > (In reply to comment #2) > > > > I have verified that if I use openssl directly from command line it will > > verify > > OK. > > >openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile > > >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer > > >-text -url http://ocsp.trust.telia.com > > . > > . > > Response verify OK > > /mnt/download/uwcert.cer: good > > This Update: Jul 29 10:43:41 2010 GMT > > Next Update: Jul 30 10:43:45 2010 GMT > > > > The (currently fixed) parameters set in Apache for OCSP response validation > require that This Update is not more than 10 minutes in the past. Check the > command line switch -status_age 360 with openssl and see if you get the same > error. You where right - that is the problem: [r...@fedoragui crl]# openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -url http://ocsp.trust.telia.com -status_age 360 . . . Response verify OK /mnt/download/uwcert.cer: WARNING: Status times invalid. 3079378652:error:2707307F:OCSP routines:OCSP_check_validity:status too old:ocsp_cl.c:338: good This Update: Aug 27 14:13:55 2010 GMT Next Update: Aug 28 14:13:58 2010 GMT [r...@fedoragui crl]# date Fri Aug 27 14:49:36 GMT 2010 I then tested with -validity_period 60 and it works: [r...@fedoragui crl]# openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -url http://ocsp.trust.telia.com -validity_period 60 . . . Response verify OK /mnt/download/uwcert.cer: good This Update: Aug 27 14:13:55 2010 GMT Next Update: Aug 28 14:13:58 2010 GMT [r...@fedoragui crl]# openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -url http://ocsp.trust.telia.com -validity_period 60 I thought that -status_age was the same as -validity_period, but I now suspect that -validity_period is how old the response is and -status_age is "when the crl-list that the responder is using was timestamped". I then waited until I got another "This Update"-timestamp and got the successful verification and also SUCCEEDED to AUTHENTICATE in my browser. [r...@fedoragui crl]# openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -url http://ocsp.trust.telia.com -status_age 360 Response verify OK /mnt/download/uwcert.cer: good This Update: Aug 27 14:51:18 2010 GMT Next Update: Aug 28 14:51:21 2010 GMT [r...@fedoragui crl]# date Fri Aug 27 14:55:07 GMT 2010 The 10 minutes limit is definitely a problem for me, because "This update" is updated infrequently: This Update: Aug 27 13:55:10 2010 GMT This Update: Aug 27 14:13:55 2010 GMT This Update: Aug 27 14:51:18 2010 GMT I guess that it is updated "on demand", when something changes and not periodically. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
