Hi! I tried to set up OCSP stapling and had some surprises to overcome:
I think the supplied script "ocsp_fetch.pl" will fail in many cases following the included help. I took the openssl command it issues ... # openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \ -respout <file> and experimented until it worked for all of my certificates. Things I noticed for openssl 1.0.1+: *) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response *) some OCSP servers need an undocumented "-header Host <hostname>" option to get through to the correct virtual host (eg. globaltrust) 404 Forbidden response otherwise *) some OCSP servers answer with the response certificate to use for -VAfile verification. (eg. alphassl/globalsign. I used -text first to get it. *) for many OCSP servers it is sufficient to use the "-issuer" cert for "-VAfile" as well to verify the response. Greetings, Wolfgang -- Wolfgang Breyha <[email protected]> | http://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
