On 19/04/16 10:57, Wolfgang Breyha wrote: > Wolfgang Breyha wrote on 18/04/16 17:52: >> Hi! >> >> I tried to set up OCSP stapling and had some surprises to overcome: >> >> I think the supplied script "ocsp_fetch.pl" will fail in many cases following >> the included help. >> >> I took the openssl command it issues ... >> # openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \ >> -respout <file> >> and experimented until it worked for all of my certificates. Things I noticed >> for openssl 1.0.1+: >> *) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response >> *) some OCSP servers need an undocumented "-header Host <hostname>" >> option to get through to the correct virtual host (eg. globaltrust) >> 404 Forbidden response otherwise >> *) some OCSP servers answer with the response certificate to use for -VAfile >> verification. (eg. alphassl/globalsign. I used -text first to get it. >> *) for many OCSP servers it is sufficient to use the "-issuer" cert for >> "-VAfile" as well to verify the response. > > Some further notes: > *) -VAfile seems the same as "-trust_other -verify_other <PEM>" > *) using "-verify_other <PEM> -CAfile <cert.bundle>" checks the chain as well > and also works > > But in case the OCSP response is signed with an intermediate Cert which is not > part of the Response Exim will not accept it. At least I found no way to > successfully load such an OCSP response.
Mmmpff. Do you _want_ to trust it, when it's not signed by the CA for the cert? -- Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
