On 04/18/2016 05:52 PM, Wolfgang Breyha wrote: > Hi! > > I tried to set up OCSP stapling and had some surprises to overcome: > > I think the supplied script "ocsp_fetch.pl" will fail in many cases following > the included help. > > I took the openssl command it issues ... > # openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \ > -respout <file> > and experimented until it worked for all of my certificates. Things I noticed > for openssl 1.0.1+: > *) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response > *) some OCSP servers need an undocumented "-header Host <hostname>" > option to get through to the correct virtual host (eg. globaltrust) > 404 Forbidden response otherwise > *) some OCSP servers answer with the response certificate to use for -VAfile > verification. (eg. alphassl/globalsign. I used -text first to get it. > *) for many OCSP servers it is sufficient to use the "-issuer" cert for > "-VAfile" as well to verify the response. > > Greetings, Wolfgang Hi, i have a similar problem. Some cert need -VAfile to verify ok, but than they will not be stapled inside exim. An exim debug shows: Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR Experimental_SPF Experimental_DANE Experimental_DMARC 11:24:17 17373 tls_ocsp_file /etc/exim4/ocsp/ocspresponse 11:24:17 17373 OCSP response verify failure: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found
that is the same error, which can be seen when i just use the ocsp_fetch.pl script without using -VAfile "...OCSP_basic_verify:signer certificate not found..." a cipherscan shows, that this cert will never staple OCSP in the TLS-Connection. cipherscan tributh.net:465 ........ Target: tributh.net:465 prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint ocsp_staple pfs curves curves_ordering 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 4096 sha256WithRSAEncryption True None False ECDH,P-384,384bits secp384r1 server 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 4096 sha256WithRSAEncryption True None False ECDH,P-384,384bits secp384r1 server 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 4096 sha256WithRSAEncryption True None False ECDH,P-384,384bits secp384r1 server OCSP stapling: not supported Cipher ordering: server Curves ordering: server - fallback: no Server supports secure renegotiation Server supported compression methods: NONE TLS Tolerance: yes For this type of certs where a -VAfile option is needed to verify ok, there is a patch for exim needed to verify also and staple afterwards. -- Torsten -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
