On Tue, Feb 4, 2014 at 10:25 AM, Reindl Harald <[email protected]> wrote: > Am 04.02.2014 19:16, schrieb Falco Schwarz: >> After playing around a bit more with this patch, I discovered that >> OCSPStapling cannot get the issuer certificate if you use only the >> SSLCertificateFile directive. It works if you specify >> SSLCertificateChainFile, though. >> >> Error only using SSLCertificateFile: >> 2014-02-04 19:07:13 [ssl|error] AH02217: ssl_stapling_init_cert: Can't >> retrieve issuer certificate! >> 2014-02-04 19:07:13 [ssl|error] AH02567: Unable to configure certificate >> foo.bar:443:0 for stapling > > the information for OCSP stapling is in the "SSLCertificateChainFile" by > definition > http://en.wikipedia.org/wiki/OCSP_stapling
It would be possible for a server to fetch and staple the OCSP response only using the information from the server's end-entity certificate. However, it is important that the server verify that the OCSP response is valid for the end-entity certificate, and it cannot do that without the issuing certificate. In particular, the server needs to verify that the OCSP response was signed (perhaps indirectly) by the issuing certificate. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
