https://bugs.exim.org/show_bug.cgi?id=1909
--- Comment #1 from Jeremy Harris <[email protected]> --- It seems that LE sign the OCSP proof directly with their cert-signing key, unlike other suppliers who maintain an intermediate OCSP-signing cert. Possibly this makes sense with their lifetimes; it's a different approach to key hygiene. Then, what they supply is only the proof (versus proof plus OCSP-signing cert). This mucked up Exim's verification of proofs (both loading into the server and verifying in a client), under OpenSSL. It seems that the OCSP_basic_verify() routine uses its first and second args for verifying the trust chain to the proof, and the third only for technical checks. If we construct a cert stack for the 2nd arg using the cert(s) presented on the wire (client case) or in the server context store (server case) we seem to get a good verify for both, at least in a constructed situation in the testsuite. Lets hope it works with LetsEncrypt. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
