[exim-dev] OCSP Stapling issue

Sat, 31 Oct 2015 17:17:50 -0700 

Hi all,

I'm getting issue getting OCSP stapling working with exim 4.85.

$ exim -bV
Exim version 4.85 #2 built 01-Jun-2015 16:46:36
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014 
Berkeley DB: Berkeley DB 4.8.30: (2014-12-24)
Support for: crypteq iconv() IPv6 PAM OpenSSL Content_Scanning Old_Demime PRDR OCSP Experimental_SPF Experimental_SRS Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch passwd 
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim/exim.conf

Certificate chain is actually the following:
$ openssl x509 -in /etc/ssl/private/enlightenment.org.crt -noout -subject -subject_hash -issuer -issuer_hash -ocsp_uri subject= /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.enlightenment.org 
c1b3f093
issuer= /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
8544bf03
http://ocsp.usertrust.com
$ openssl x509 -in /etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -noout -subject -subject_hash -issuer -issuer_hash -ocsp_uri 
subject= /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
8544bf03
issuer= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 
fc5a8f99
http://ocsp.usertrust.com
$ openssl x509 -in /etc/ssl/private/USERTrust-RSA-Certification-Authority.crt -noout -subject -subject_hash -issuer -issuer_hash -ocsp_uri subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 
fc5a8f99
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
157753a5
http://ocsp.usertrust.com

OCSP staple file is retrieved this way:
$ openssl ocsp -no_nonce -issuer /etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -cert /etc/ssl/private/enlightenment.org.pem -url http://ocsp.usertrust.com -CAfile /etc/ssl/certs/ca-certificates.crt -VAfile /etc/ssl/private/Gandi-Standard-SSL-CA-2.crt -respout /etc/ssl/private/enlightenment.org.pem.ocsp -text 
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: A5E2344EF5763A9CE2F31E9B9807B0075727A5F9
          Issuer Key Hash: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
          Serial Number: 399CBD9E8051AFD8F2F298421ECF6666
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
    Produced At: Oct 31 03:46:35 2015 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: A5E2344EF5763A9CE2F31E9B9807B0075727A5F9
      Issuer Key Hash: B390A7D8C9AF4ECD613C9F7CAD5D7F41FD6930EA
      Serial Number: 399CBD9E8051AFD8F2F298421ECF6666
    Cert Status: good
    This Update: Oct 31 03:46:35 2015 GMT
    Next Update: Nov  4 03:46:35 2015 GMT

    Signature Algorithm: sha256WithRSAEncryption
         65:ce:db:74:8e:bf:e8:95:5a:66:87:2d:01:57:07:d6:fd:58:
         34:a9:f8:52:f7:d2:62:39:dd:92:e3:5d:d0:5c:a2:be:06:2c:
         78:af:84:17:5f:1b:9d:ba:32:0d:af:6f:22:0e:e4:46:12:e8:
         c3:ef:64:36:ca:29:7d:e0:a4:dd:4b:99:96:ed:72:e0:91:f3:
         6c:24:06:a8:9c:14:be:b2:c6:e6:b2:3c:01:4c:87:f2:f7:25:
         64:69:a0:a6:88:15:de:44:39:a3:10:39:b9:57:be:66:5e:20:
         cb:7a:08:dd:42:6a:36:86:64:c5:fc:d5:0e:7a:a6:3e:0d:fb:
         49:d8:68:94:a1:11:e5:e0:c1:d5:bd:db:37:a2:e9:70:44:f2:
         a3:c0:bf:8c:53:b0:cf:fd:07:97:32:3d:b3:73:92:71:94:60:
         c2:86:3c:c1:2a:29:53:11:af:5c:23:8d:bd:cf:0e:3b:c1:2b:
         26:5c:ed:f5:96:be:18:45:ff:56:8f:85:f6:10:b4:c3:29:bc:
         44:aa:d6:e2:0b:0b:c6:cc:69:e2:e8:07:3f:97:d2:c0:3b:dd:
         ad:2d:a1:37:c7:bd:f8:d5:26:b2:28:a0:ce:30:48:ec:ab:49:
         38:1d:09:6f:b1:d8:e2:61:18:5a:87:8e:bb:bc:64:b4:df:04:
         13:44:fa:04
Response verify OK
/etc/ssl/private/enlightenment.org.pem: good
        This Update: Oct 31 03:46:35 2015 GMT
        Next Update: Nov  4 03:46:35 2015 GMT
As you can see, OCSP response is valid and fully verified, but Exim is complaining with the following error with reading the OCSP file:
18086 OCSP response verify failure: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found
I tried to append to the file the DER format of every certs until the to the CA with no success.
The same OCSP file is used by haproxy to deliver OCSP stapling for HTTP and it actually works great.
Is OCSP_basic_verify enough for looking if the OCSP file is correct or not ? 

Thanks!

--
Bertrand

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to